ClickFix – phishing is expected to explode in cyberattack campaigns in 2025. Unlike traditional attacks via scam emails or malicious attachments, this tactic uses the “fast fix” mentality to get users to run their own malicious commands.

1752477958423.png

ClickFix is a social engineering hack in which bad guys impersonate technicians or major tech brands such as DocuSign, Okta, providing “debug instructions” for common problems such as driver errors, annoying pop – ups, or login errors. As a result, hackers can take control of computers, steal data, and even pave the way for ransomware attacks.

But instead of correcting the actual error, this tutorial requires the user to copy-paste a command fragment (usually PowerShell) into the Run box (Win+R) or terminal window (Wins+X) on Windows. This command is pre-installed in the clipboard via malicious JavaScript code from fake websites, malicious ads, fake tutorial videos, or “pseudo” technical support forums – a technique also known as pastejacking.

The danger is that there are no malicious attachments, no deceptive links, and it’s the user who runs the malicious code without knowing it.

In 2025, attack groups have incorporated ClickFix into multiple campaigns spreading spyware and malicious code that hijack remote control, including:

  • NetSupport RAT: Takes advantage of fake DocuSign and Okta interfaces, luring users to paste PowerShell instructions. The scenario hit the health, legal, telecom, and mining sectors in May 2025.
  • Latrodectus Malware: Distributed via ClearFake-encoded websites, using side-loading DLLs to install malicious code.
  • Lumma Stealer: Targeted IT, automotive, energy sectors with malicious MSHTA commands and domain names forged log IP services.

ClickFix’s effects are dangerous and difficult to detect:

  • The user is hijacked (via Remote Access Trojan).
  • Stolen data and accounts, including emails, passwords, internal documents.
  • Paves the way for ransomware or other malicious code to spread.
  • The industries affected span the spectrum: high technology, banking, manufacturing, retailing, government, utilities, etc..

This tactic also poses significant difficulties for traditional security systems because:

  • No unknown files initially downloaded.
  • No fraudulent email links.
  • The code run is done by the user himself.

However, forensics traces are still detectable, such as unusual commands in Windows RunMRU or PowerShell sessions that are initiated after clipboard paste.

Universal users are the goal of ClickFix, thus raising awareness is a top priority. Signs to watch for:

  • The site asks for “paste the command to correct the error.”
  • Unknown technical instructions on unorthodox video/forum.
  • Warning from Windows requesting administrator privileges after pasting command.

To minimize the risk of ClickFix attacks, WhiteHat recommends that organizations and users take the following measures:

  1. Keep software and operating systems up to date
    Fully install security patches to seal known vulnerabilities that hackers can exploit.
  2. Use trusted security software
    Implement antivirus software, firewalls and end protection tools to detect and stop malicious code.
  3. Be absolutely alert for “paste and running” commands from unknown sources
    Don’t follow any instructions that require you to copy-paste commands to Run (Win+R) or PowerShell/Terminal (win+X ), whether they look legitimate or come from a familiar brand.
  4. Security Awareness Training for Employees
    Organize periodic training courses to help users identify ClickFix tricks and other sophisticated forms of fraud.
  5. Monitoring abnormal system behavior
    • Monitor the clipboard for malicious sticky bits.
    • Record and analyze unusual PowerShell sessions.
    • Check the RunMRU entry in the Windows registry, which saves commands that have been run through the Run window.
  6. Use of advanced security tools
    • Palo Alto Networks: Advanced WildFire, URL Filtering, DNS Security.
    • Cortex XDR: Automatic behavioral monitoring and response to suspicious activity.

ClickFix is a good example of an attacker who does not need high – tech tools, just a user’s psychological gullibility and lack of vigilance. In the context of increasingly sophisticated and “friendly” attack techniques, organizations and individual users cannot simply rely on antivirus software. The solution lies in vigilance, basic cybersecurity education, and an intelligent surveillance system.

According to WhiteHat, Cyber Press