ClickFix: A Rising Social Engineering Method Being Used to Deliver Malware

ClickFix is a sophisticated social engineering technique that cybercriminals use to deceive individuals into executing malicious commands on their computers, leading to malware infections. This method has gained traction due to its effectiveness in bypassing traditional security measures by exploiting human behavior.

How ClickFix Works

1. Initial Contact

Attackers lure users to compromised or malicious websites through various means, such as phishing emails, malicious advertisements, or search engine manipulation.

2. Fake Error Prompt

Upon visiting the site, users encounter a deceptive prompt that often resembles a CAPTCHA verification or an error message claiming that an issue has occurred. This prompt instructs users to perform specific actions to resolve the purported problem.

3. Execution of Malicious Commands

The prompt guides users to open a command-line interface (like PowerShell) and paste a provided script. Believing they are fixing an issue, users inadvertently execute malicious code that downloads and installs malware onto their systems.

Why It’s Important

ClickFix campaigns are an increasingly common tactic used by cybercriminals, including both financially motivated actors and suspected state-sponsored groups. This technique cleverly combines social engineering with user-driven malware installation, making it both dangerous and effective. The growing use of ClickFix campaigns suggests they work. This method exploits basic human tendencies, especially the urge to be helpful and self-reliant. In a typical ClickFix attack, the threat actor presents the target with what seems to be a legitimate problem (like a system or software error) along with a seemingly helpful fix (often in the form of a malicious file or link). Because the user feels like they are resolving the issue independently, they’re less likely to involve IT or question the legitimacy of the fix. This leads to the user unknowingly installing malware on their device, effectively bypassing traditional security controls.

The Psychology Behind It

What makes ClickFix so insidious is that it's built on trust and user initiative. By presenting the problem and the solution, adversaries manipulate users into becoming their own attack vectors. It’s a step forward in social engineering, less about brute force and more about emotional manipulation. Ironically, this technique is gaining traction because people have become better at spotting older phishing methods. Security software is better at filtering out common threats. As a result, attackers are evolving by turning their focus from systems to psychology.

ClickFix and the Infostealers

Understanding how malware spreads is key to detecting and stopping threats before they cause harm. Since late 2024, the ClickFix method has gained traction as a delivery mechanism for infostealer malware. Infostealers are a type of malware built to steal sensitive data from infected devices. This can include login credentials, browser cookies, cryptocurrency wallet details, and private documents. While infostealers can be delivered through many channels, ClickFix has recently become one of the most commonly used tactics. It relies on deceiving users into unintentionally installing the malware themselves.

Examples of ClickFix Attacks

1. Fake Google Meet Error Messages Delivering Infostealers

In late 2024, attackers initiated a campaign using counterfeit Google Meet pages that displayed fake connectivity error messages. These messages prompted users to execute PowerShell commands, leading to the installation of infostealing malware such as Stealc and Rhadamanthys on Windows systems, and AMOS Stealer on macOS. The campaign utilized deceptive URLs resembling legitimate Google domains, like meet.google.us-join.com, to trick users into believing they were accessing authentic Google Meet services.

2. ClickFix Campaigns Targeting Multiple Platforms

ClickFix tactics have expanded to impersonate other popular platforms, including Zoom, Facebook, and PDF readers. Attackers present users with fake error messages on these platforms, urging them to run specific commands or download files to "resolve" the issues. This strategy has been effective in distributing various malware strains, including DarkGate and Lumma Stealer, across different operating systems.

3. Exploitation of GitHub and Other Developer Platforms

Some ClickFix campaigns have targeted developers by exploiting platforms like GitHub. Attackers create issues or discussions containing malicious links or scripts, which, when executed by unsuspecting developers, lead to system compromises. This method capitalizes on the trust within developer communities to spread malware.

4. Use of Fake CAPTCHA Pages

In a variation of the ClickFix tactic, attackers have used fake CAPTCHA verification pages to deceive users. These pages prompt users to run commands or download files under the guise of verifying their identity or resolving access issues. Executing these actions results in the deployment of malware like Lumma Stealer.

How to Mitigate ClickFix Attacks

User Awareness and Training

The most critical line of defense against ClickFix is the end-user. Since the attack relies on social engineering to trick individuals into installing malware voluntarily, continuous training and awareness campaigns are necessary. Employees and users should be educated about the latest tactics used by attackers, including fake system alerts, error messages, or requests to run scripts and commands to "fix" a problem. Simulated phishing exercises that mimic ClickFix scenarios can also be effective in reinforcing good security habits.

Restricting Script and Command Execution

Because ClickFix attacks often involve getting users to run commands or scripts (like PowerShell, Terminal commands, or batch files), organizations should take steps to restrict or monitor script execution. This includes disabling or limiting access to scripting tools for users who do not need them, using application whitelisting, and enforcing the principle of least privilege so that users cannot execute high-risk commands without administrative approval. Endpoint Detection and Response (EDR) tools can also help by flagging suspicious script activity and alerting security teams to potential compromise.

Strengthening Browser and Email Security

Many ClickFix attacks begin with a malicious link, often delivered through email or messaging platforms, that leads to a fake website prompting the user to take some action. Strengthening email filtering and anti-phishing controls can help prevent these links from ever reaching users. Browser security settings should also be configured to block potentially dangerous downloads, enforce HTTPS, and disable the automatic execution of downloaded files. Using DNS filtering and secure web gateways can prevent users from accessing known malicious domains used in ClickFix campaigns.

Incident Response and Reporting Culture

Even with strong protections in place, some attacks may still succeed. This makes a well-defined and rehearsed incident response plan essential. Users should know exactly what to do if they suspect they’ve fallen for a ClickFix scam, who to contact, what systems to shut down, and how to report the incident. Just as importantly, organizations should foster a culture that encourages reporting, where employees feel safe admitting they have made a mistake. Since speed is critical in stopping malware from spreading or exfiltrating data, creating an environment where users report quickly can make a significant difference.

Conclusion

The ClickFix technique represents a major shift in social engineering tactics, using a combination of user trust and standard browser features to deliver malware. Its growing use among both financially motivated threat actors and advanced persistent threat groups shows its efficiency and ease of execution.