ClickFix is changing the economics of social engineering

ClickFix has moved from a one-off social engineering trick into an industrialized attack ecosystem that is outpacing conventional antivirus and endpoint defenses, according to ReversingLabs.

ClickFix social engineering attacks

The technique first showed up in late 2023 and early 2024, and Proofpoint named it in mid-2024.

The method skips exploits and vulnerabilities entirely. A fake webpage, styled as a CAPTCHA check, browser update notice, or meeting error, instructs a visitor to open the Windows Run dialog or macOS Terminal, paste a command, and press Enter. JavaScript on the page has already copied a malicious command to the clipboard before the visitor sees any instructions. The command runs through PowerShell, mshta, or curl, tools already trusted on the system.

Victims reach ClickFix lure pages through compromised websites acting as watering holes, malvertising placed through legitimate ad networks, SEO poisoning that ranks malicious pages for common search terms, and phishing campaigns impersonating vendors or internal IT teams.

The MaaS economy

“ClickFix’s rapid proliferation is not accidental,” ReversingLabs noted. “Behind the campaign diversity and payload variety is a structured Malware-as-a-Service (MaaS) economy that has industrialized the production, distribution, and operation of ClickFix.”

Complete ClickFix kits sell on underground forums for $250 per month to $1,800 for a lifetime license, with software updates included. Higher-priced packages add pre-built lure templates for major targets like Cloudflare CAPTCHAs, browser and OS update screens, SSL certificate errors, font install pages, and meeting errors. Buyers also get domain rotation services, AV-bypass guarantees marketed as a standard feature, and support channels on Telegram.

“This structure means that ClickFix campaigns can be launched by individuals with no meaningful malware development capability,” researchers added.

“The sophistication is rented, not built. The practical consequence for defenders is a dramatic increase in campaign volume with no corresponding increase in the skill threshold of the attacker.”

In April 2026, Netskope Threat Labs exposed the backend of one ClickFix MaaS platform after the operators’ own security lapse leaked server-side admin panel details.

The backend managed multiple operators at once and tracked cryptocurrency wallet assets across victims. Its payload, a Node.js-based RAT, loaded stealing modules directly into memory after a command-and-control connection and routed traffic over gRPC through the Tor network.

Payloads keep expanding

Lumma Stealer is the most prolific ClickFix payload, but the payload catalog is expanding well beyond it, researchers found.

Remote access trojans including DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT are also in the ClickFix rotation, enabling hands-on-keyboard activity such as lateral movement, persistence, and data exfiltration.

ClickFix attacks evolve and accelerate

In January 2026, researchers at Huntress and Microsoft Defender Experts identified a new variant called CrashFix. It deliberately crashes the victim’s browser, then deploys a social engineering lure offering to restore it.

That disruption raises compliance and cuts reliance on traditional exploit paths, since the user is reacting to a browser that has genuinely stopped working.

“Security teams should treat CrashFix as evidence of an active development cycle behind ClickFix infrastructure.”

NetSecurity documented a wider family of “fix-type” attacks. FileFix manipulates the Windows File Explorer address bar, PromptFix targets AI tooling, and ConsentFix abuses OAuth consent screens to hijack accounts.

Early ClickFix campaigns went after everyday consumers. Lately the lures have gotten more corporate, mimicking Microsoft 365 prompts, VPN errors, and internal IT portals. Researchers expect AI-generated lure content to spread further.

Fighting ClickFix with structural analysis

ReversingLabs has come up with a fix for ClickFix’s evasion of common security tools, and that is to identify the attack before users ever paste a command into the Run dialog or Terminal, according to the report.

To do this, Threat Analyst Toni Dujmović built a structural YARA rule that reads the lure page itself rather than the payload, then ran it against the company’s file collection.

The rule, which ReversingLabs is releasing as open source, flagged 123 confirmed ClickFix lures that had evaded every antivirus engine tested. Of 4,062 matched samples, those 123 broke down into 105 flagged clean and 18 left unclassified, with several first observed within 48 hours.

Researchers advise hardening systems at more than one point. PowerShell Constrained Language Mode limits what a script can do even when someone launches it directly, and script block logging leaves a record for when prevention fails. Windows Defender Application Control or AppLocker keeps living-off-the-land binaries from running outside their normal context.

The social engineering layer is where a person still gets a say, and training employees to recognize fake browser updates, CAPTCHA pages, and IT support prompts also helps defend against ClickFix, ReversingLabs concluded.

Don't miss