Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
The ClickFix campaign represents a sophisticated social engineering attack that leverages fake Windows Update pages and verification prompts to deceive victims into executing malicious commands. The ClickFix malware campaign, discovered in October 2025, distributes notorious infostealers including LummaC2 and Rhadamanthys through a multi-stage infection chain. The ClickFix attack methodology employs advanced evasion techniques such as steganography, hiding malicious payloads within PNG image pixels, and using reflective .NET loading to avoid detection. The ClickFix threat operators create convincing full-screen fake Windows Update interfaces that trick users into pressing Win+R and pasting malicious commands, believing they are completing a legitimate system update. The ClickFix campaign targets victims worldwide, using sophisticated obfuscation including encrypted JavaScript, XOR decryption, and AES-protected strings. Despite the technical sophistication of the ClickFix malware delivery mechanism, the attack ultimately depends on user interaction, making security awareness training a critical defense against ClickFix social engineering tactics.
The ClickFix campaign represents a new wave of sophisticated social engineering attacks leveraging ClickFix-style lures to trick victims into manually executing commands that launch multi-stage malware chains. The ClickFix attack delivers well-known infostealers like LummaC2 and Rhadamanthys using creative evasion tactics, particularly hiding malicious code inside PNG image pixel data through steganography. Earlier ClickFix campaigns relied on generic “Human Verification” prompts, but attackers have evolved to adopt far more convincing tactics, including full-screen fake Windows Update interfaces that mimic the familiar blue update screen.
Since October 2025, multiple websites following the ClickFix pattern have been discovered. The ClickFix verification page automatically copies a malicious mshta command into the victim’s clipboard, prompting them to paste it into the Windows Run box. Analysis of the ClickFix lure’s source code reveals multiple layers of obfuscation employed to evade detection. Portions of the ClickFix JavaScript are encrypted and only decrypted at runtime. The second-stage ClickFix script hides inside a variable named ENC, which is unlocked through a sequence of functions that convert, decode, XOR, and ultimately reconstruct plaintext script injected through a temporary Blob URL. After execution, the Blob is revoked, leaving minimal forensic traces from the ClickFix attack.
The ClickFix malware chain begins with mshta.exe fetching a remote JScript payload, which then retrieves PowerShell code padded with junk instructions to slow analysis. Once cleaned, this PowerShell script decrypts a .NET assembly directly in memory. This assembly acts as the ClickFix loader for the next stage and contains encrypted logic, misleading function names, and AES-protected strings. Using predefined keys, the ClickFix malware decrypts internal configuration and logic before pulling shellcode hidden within a PNG file using steganography.
The next ClickFix stage focuses on extracting hidden shellcode from manipulated image pixels. Each byte is recovered through careful XOR operations that depend on precise pixel stride values to avoid corruption. Once decoded, the ClickFix loader prepares and injects the shellcode into explorer.exe, calling essential Windows APIs to carry out process injection. The final ClickFix stage reveals that the shellcode is packaged using Donut, a technique commonly employed for in-memory code execution.
The ClickFix campaign’s Windows Update-themed lure is especially deceptive. It forces the victim’s browser into full-screen mode, displays a fake Windows update screen, and instructs users to press Win+R and paste a command, thinking it is part of an update step. Under the hood, the ClickFix attack chain mirrors previously documented Human Verification lures, beginning with mshta.exe, pulling down PowerShell, and ultimately loading the steganographic .NET loader.
The ClickFix attackers shift their first-stage URIs frequently to avoid detection and blocklisting. The ClickFix campaign’s use of steganography makes traditional signature-based detection difficult, but the ClickFix attack still depends on convincing victims to manually run commands, an area where user awareness and security training can effectively break the attack chain.
Strengthen User Awareness Around ClickFix-style Tricks: Educate employees and users that no legitimate Windows update or verification page will ever ask them to press Win+R or paste a command into the Run box. The ClickFix social engineering tactic relies entirely on user interaction, making awareness training the first line of defense against ClickFix attacks. Regularly share screenshots and examples of ClickFix lures so people can instantly recognize the red flags and avoid falling victim to ClickFix deception.
Block the Misuse of Mshta.Exe and Scripting Engines: The ClickFix attack chain relies heavily on mshta.exe and PowerShell execution. Use endpoint controls or application-allowlisting to block or restrict mshta.exe, PowerShell with unrestricted execution, and other Windows script hosts. These tools are rarely used by regular users but are heavily abused by ClickFix attackers and similar threat actors. Implementing these restrictions can effectively prevent ClickFix malware execution at the initial stage.
Implement Strong Web Filtering and DNS Protection: Deploy DNS filtering or secure web gateways to block access to suspicious or newly registered domains commonly used in ClickFix attacks. The ClickFix campaign frequently uses newly registered domains and changes infrastructure rapidly. Web filtering can stop the ClickFix infection chain before it begins by preventing users from accessing malicious ClickFix lure pages.
Monitor Clipboard, Run-box, and Scripting Activity: Enable logging for clipboard access, suspicious use of Win+R, and unusual command-line arguments within your environment. These patterns often indicate ClickFix-like attempts and can provide early warning of ClickFix compromise. Security teams should establish baselines for normal activity and alert on ClickFix attack indicators such as mshta.exe execution with remote URLs or suspicious PowerShell commands.
Enhance Endpoint Protection: Deploy next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to identify and block ClickFix malware. Leverage behavioral analysis and machine learning-based detection to spot suspicious ClickFix activity patterns. EDR solutions can detect ClickFix attack behaviors such as steganography extraction, reflective .NET loading, and process injection into explorer.exe, providing multiple opportunities to interrupt the ClickFix kill chain.
Domains:
URLs:
Initial Access:
Execution:
Defense Evasion:
Collection:
Command and Control:
Exfiltration:
Get through updates and upcoming events, and more directly in your inbox