A new attack technique is quietly becoming one of the most prevalent cybersecurity threats of 2025. Known as ClickFix, FileFix, or fake CAPTCHA attacks, this social engineering method has seen explosive growth, with some studies reporting increases of up to 517% in just six months. Major organizations including Kettering Health, DaVita, and the City of St. Paul have all fallen victim to these increasingly sophisticated attacks.
What makes ClickFix particularly dangerous is that it bypasses many traditional security controls while exploiting a behavior most users never learned to be suspicious of: copying and pasting commands into their own system.
Understanding ClickFix: A Deceptively Simple Attack
ClickFix attacks work by presenting users with what appears to be a legitimate problem in their web browser, typically a CAPTCHA challenge or an error message. However, the name is somewhat misleading. The core of the attack doesn’t rely on clicking at all.
Instead, these malicious pages trick users into copying what appears to be a harmless troubleshooting command and pasting it into system utilities like the Windows Run dialog, PowerShell, or Terminal. The copied content is actually malicious code designed to download remote access software or infostealer malware.
In most cases, the copying happens automatically through JavaScript running on the page, reducing the steps required and making it more likely that users will follow through with the attack. Once the malware is installed, attackers can steal session cookies and credentials, facilitating broader attacks on business applications and services.
The attack technique has become so popular that it’s now regularly employed by notorious groups like the Interlock ransomware gang and even state-sponsored advanced persistent threat actors. Off-the-shelf ClickFix builders are now available on hacker forums for as little as $200 per month, democratizing access to this powerful attack method.
Three Critical Reasons ClickFix Is So Effective
| What it is | How it works | Why it’s effective |
|---|---|---|
| Browser-based social engineering that abuses copy-paste. | Malicious page (fake CAPTCHA/error) auto-copies a payload; user pastes into Run / PowerShell / Terminal; script fetches RMM/infostealer. | Bypasses email security, hides in browser sandbox, looks like a legitimate troubleshooting step. |
| Aliases | ClickFix, FileFix, fake CAPTCHA attacks | |
Reason 1: Users Aren’t Prepared for This Type of Attack
For over a decade, cybersecurity awareness training has focused on teaching users to avoid clicking suspicious links, downloading unknown files, and entering credentials on unfamiliar websites. But running commands in a system utility? That’s simply not part of the threat model most users have been trained to recognize.
The psychological effectiveness is further amplified because the malicious clipboard action typically happens invisibly through JavaScript. Users don’t even realize they’ve copied something malicious until they paste it. With modern ClickFix sites becoming increasingly legitimate in appearance, the visual cues that might trigger suspicion are simply absent.
Another challenge is the shift in delivery vectors. Research has identified SEO poisoning and malvertising through Google Search as the top delivery method. By compromising or creating new domains, attackers are intercepting users during normal internet browsing, creating watering hole scenarios that don’t fit the traditional phishing email model.
And unlike suspicious emails where users can click a “report phishing” button, there’s no convenient workflow to alert security teams about suspicious Google Search results, social media messages, or website advertisements.
Reason 2: Traditional Security Tools Can’t Detect ClickFix During Delivery
| Delivery vector | Details | Evasion technique |
|---|---|---|
| SEO poisoning | Compromised/new domains intercept normal searches. | Domain rotation/camouflage beats blocklists. |
| Malvertising | Ads target geo/org/device audiences. | Selective display avoids scanners; bot protection (e.g., Turnstile). |
| Social / forums | “Fix” links shared in threads/DMs. | Heavily obfuscated JS, short-lived infra. |
Modern phishing pages, including ClickFix sites, employ sophisticated detection evasion techniques that render many traditional security controls ineffective. These include:
Domain camouflage and rotation: Attackers constantly refresh their infrastructure to stay ahead of blocklists, making signature-based detection nearly impossible.
Bot protection: Custom CAPTCHA implementations and Cloudflare Turnstile prevent automated security tools from analyzing the malicious pages.
Code obfuscation: Heavy obfuscation of JavaScript code prevents security scanners from identifying malicious patterns.
Targeted delivery: Malvertising can be configured to only display to users from specific geographic locations, email domains, or device types, helping attackers reach their targets while avoiding security analysis.
By moving away from email-based delivery, these attacks completely bypass an entire layer of security controls. Email scanners, which many organizations rely on heavily, never get the chance to inspect the threat.
Perhaps most critically, because the malicious code is copied within the browser sandbox, typical network security tools cannot observe or flag this action as potentially malicious. This means the final opportunity to stop ClickFix attacks falls entirely on endpoint detection and response systems.
Reason 3: Endpoint Detection Is the Last Line of Defense, and It’s Not Foolproof
| Category | Indicators | Where to look |
|---|---|---|
| Clipboard & browser | Auto-copy events; onpaste triggers inserting long Base64/PowerShell; devtools pastes. | Browser extensions/telemetry; EDR clipboard/paste sensors if available. |
| Process chains | explorer.exe → powershell.exe with long encoded command; curl/Invoke-WebRequest to unknown hosts. | EDR process graphs; PowerShell logs (4104/4103), Script Block Logging. |
| Network | RMM/infostealer download hosts; newly contacted IPs/domains; TLS SNI anomalies. | DNS logs, proxy, FW, EDR network telemetry. |
While endpoint detection and response (EDR) solutions should theoretically catch these attacks at multiple stages, the reality is more complicated. Several factors make detection challenging:
Lack of contextual indicators: Because there’s no file download and the code execution is user-initiated, EDR systems lack the typical context that would flag an action as suspicious. Malicious PowerShell launched from Outlook or Chrome would raise red flags, but when launched directly by the user, it appears as a normal administrative task.
Obfuscation and staging: Attackers break malicious commands into multiple stages or heavily obfuscate them to avoid triggering heuristic detection rules. EDR telemetry may record the activity without immediately recognizing it as malicious.
The cat-and-mouse game: The final stage where EDR should intercept the attack is during malware execution itself. However, detection evasion is an ongoing battle, and attackers continuously develop new techniques to bypass or disable security tools.
Coverage gaps: Organizations that allow employees to use unmanaged bring-your-own-device (BYOD) systems may have significant gaps in EDR coverage, leaving these devices completely vulnerable.
The standard recommendations, such as restricting access to the Windows Run dialog, have proven insufficient. Security researchers have documented a wide range of alternative system utilities that ClickFix attacks can target, many of which are difficult to restrict without impacting legitimate user workflows.
| Phase | Action | Outcome |
|---|---|---|
| Contain | Disconnect network, isolate host; revoke SSO sessions; reset high-value creds. | Halts C2 and credential reuse. |
| Investigate | Pull EDR graph; export PS Script Block logs; triage browser history & downloads. | Identify payload and spread. |
| Eradicate | Remove RMM/infostealer; clean persistence; patch browser/OS; block indicators. | Back to a trusted state. |
| Recover | Re-image if needed; restore; monitor for re-contact; user re-training. | Return to service with guardrails. |
Looking Ahead: The Evolution of Copy-Paste Attacks
As defenders adapt, so too will attackers. There’s already speculation about future attack variants that could execute entirely within the browser, such as pasting malicious JavaScript directly into browser developer tools on vulnerable web pages. Such attacks would completely bypass endpoint detection systems.
The increasing accessibility of ClickFix builders on underground forums, combined with their effectiveness against current defenses, suggests this attack method will continue to grow in popularity throughout 2025 and beyond.
A New Approach: Browser-Based Detection
Given the limitations of traditional security controls, a new generation of browser-based security solutions is emerging to tackle ClickFix attacks at their source. Rather than waiting for malicious code to reach the endpoint, these solutions detect the malicious copy-paste action as it happens in the browser.
This approach offers several advantages. It works regardless of the delivery channel, whether the attack comes through email, social media, malicious ads, or SEO poisoning. It doesn’t depend on recognizing specific page styles or malware signatures. And critically, it detects the one behavior that every ClickFix attack must perform: copying a malicious script from a webpage.
Unlike heavy-handed data loss prevention solutions that block all copy-paste operations, modern browser security platforms can specifically target malicious clipboard activity without disrupting normal user productivity.
| Layer | Control | Notes |
|---|---|---|
| Browser | New Detect/block malicious auto-copy; warn on pasting to system utilities. | Agnostic to delivery (SEO, ads, social). |
| Endpoint | Harden PowerShell/Run policies; AMSI; EDR rules for base64/obfuscated chains. | User-initiated context makes tuning important. |
| Network | DNS filtering; anti-malvertising/WAF; TLS inspection where lawful. | Catches payload retrieval & callbacks. |
Conclusion: Adapting to a Changing Threat Landscape
ClickFix attacks represent a fundamental shift in how social engineering attacks are being executed. By moving beyond email, employing sophisticated evasion techniques, and exploiting gaps in user awareness training, these attacks have found a sweet spot where traditional defenses struggle to keep up.
Organizations can no longer rely solely on endpoint detection or user awareness training to protect against these threats. A layered defense approach that includes browser-based detection, comprehensive endpoint protection, and updated security awareness training is essential.
As the cybersecurity landscape continues to evolve, one thing is clear: the days when email was the primary attack vector are behind us. Security strategies must adapt to address threats that live entirely in the browser and target user behaviors we never thought to protect against.
The question isn’t whether your organization will encounter a ClickFix attack—it’s whether you’ll be ready when it happens.