Threat Intelligence
clickfix
fake-captcha
social-engineering

ClickFix: the Fake CAPTCHA That Installs Malware

What ClickFix is, the fake CAPTCHA technique that makes victims run malware themselves. How it works, why it evades defences and how to detect and prevent it.

Secra Solutions teamJuly 13, 202610 min read

ClickFix is a social engineering technique in which the attacker shows a fake CAPTCHA or error message and convinces the victim to copy a command, paste it into a system window and press Enter, running the malware themselves. According to the ESET Threat Report H1 2025, ClickFix detections rose 517% between two consecutive half-years, making it one of the fastest growing techniques of the period. The Microsoft Digital Defense Report of October 2025 identifies it, in the initial access data from Defender Experts notifications, as the entry method in roughly 47% of those cases. The fake CAPTCHA is no longer a curiosity: it is one of the preferred entry points for infostealers, RATs and ransomware.

From a red team perspective, ClickFix is both fascinating and dangerous, because it does not exploit a software vulnerability. It exploits the user's willingness to "fix" a problem they believe they have. In this article we break down what ClickFix is, how the deception works step by step, why it slips past so many controls and how organisations can detect and prevent it.

What ClickFix is and why it matters so much

ClickFix is a family of social engineering attacks in which the attacker shows the victim a web page with a fake error message, a bogus "human verification" CAPTCHA or a dialog promising to fix a fault. At its core the instruction is always the same: to continue, copy this text, paste it into a specific operating system window and run it. That text is, in reality, a malicious command.

Proofpoint documented the first campaigns in March 2024. By the end of that year the technique had already spread across multiple groups, and during 2025 it went from a novelty to a de facto standard for initial access. The reason for its success is that it solves a classic attacker problem: how to get code to run on the victim's machine without attaching a file an antivirus can scan or exploiting a vulnerability a patch can close. ClickFix's answer is to delegate execution to the user.

It is a twist on the classic techniques we cover in what is social engineering: the vector is not an email with a suspicious attachment, but a sequence of steps the victim performs willingly, convinced they are passing a legitimate verification.

How the deception works step by step

A typical ClickFix attack follows a well-polished script, designed to reduce friction and avoid raising the user's alarm.

1. The lure and the fake page

The victim reaches the fraudulent page through several routes: a poisoned search result, a malicious ad (malvertising), a link in a phishing email, a social media comment, or even a compromised legitimate site that injects the content. The page displays a believable message: "Verify you are human", "Your browser needs to update to view this content" or "An error occurred loading the document, follow these steps to fix it".

2. The "verification" instructions

This is the heart of ClickFix. The page guides the victim with numbered steps that mimic the look of a real CAPTCHA:

  1. Press Win + R (or open Terminal on macOS).
  2. Press Ctrl + V to paste.
  3. Press Enter.

What the victim does not see is that, when they click the fake "I'm not a robot", a JavaScript function has silently copied a malicious command to the clipboard. When they paste and run it, they are not passing any verification: they are launching the first link in the infection chain.

3. The command and its execution

The pasted command usually invokes powershell.exe, mshta.exe, cmd.exe or nslookup with obfuscated parameters. A common variant downloads and runs a second stage from a remote server, often disguising the URL or encoding it in Base64. Some recent campaigns even use DNS TXT records to deliver the payload, avoiding obvious HTTP requests. To hide their intent, many commands include filler text or comments that the victim sees in the Run bar but which do not alter the actual execution. Using PowerShell as the interpreter is no accident: it is what we call, in how to avoid phishing, abuse of legitimate system binaries.

4. Delivering the final payload

Once the first command runs, the chain downloads the real payload. Here ClickFix is agnostic: it is a delivery method, not a specific malware family.

What ClickFix delivers: infostealers, RATs and ransomware

The list of payloads tied to ClickFix grows every month. Microsoft describes Lumma Stealer as the most prolific payload distributed this way. Among the documented families are:

  • Infostealers: Lumma Stealer, DanaBot, SnakeStealer and, in macOS variants, Atomic Stealer. These thieves extract credentials, session cookies, cryptocurrency wallets and tokens. If you want to understand the impact of this category, we cover it in depth in what is an infostealer.
  • RATs (remote access trojans): NetSupport RAT, AsyncRAT and DarkGate variants, which grant persistent control of the machine. We explain how these trojans work in what is a trojan.
  • Loaders and ransomware: Latrodectus and other loaders that prepare later ransomware deployment, along with cryptominers and post-exploitation tools.

Campaigns based on ClearFake variants have compromised large numbers of systems in short periods, which illustrates the scale a single operator can reach. To place these families within the broader landscape, it helps to review the most common types of malware.

Why ClickFix evades so many defences

What makes ClickFix such a serious challenge is the combination of factors that play in the attacker's favour and against traditional controls.

The user runs the code, not an exploit. No vulnerability is exploited: execution is initiated by the user within their own session, which sidesteps many antivirus heuristics focused on downloads and attachments. The malicious executable usually downloads only after the victim pastes and runs the command.

The real payload arrives later, not in the lure. There is often no malicious executable attached at first contact: the payload downloads later, once the victim runs the command themselves. That reduces the material gateways can block up front, but it does not remove it. The delivery stage can rely on malicious HTML, JavaScript, links or HTML attachments, and those are artefacts that email and web controls can inspect. It is worth keeping and tuning those controls: the dangerous command is generated in the browser's clipboard, but the page or message that leads the victim there remains analysable.

It abuses Microsoft-signed binaries. The command runs through powershell.exe or mshta.exe, legitimate signed processes. Many allowlists and application controls permit them by default, a living-off-the-land technique that complicates detection.

Classic awareness does not cover this reflex. Training programmes teach employees to distrust attachments and links, but rarely teach them to refuse the act of pasting a command into the Run window. ClickFix exploits precisely that gap. It is the same logic we see in emerging vectors like quishing or QR code phishing: the attack moves to ground where training has not yet arrived.

From the standpoint of a red team exercise, ClickFix is an ideal module for measuring an organisation's human resilience, because it tests a behaviour that almost no technical control covers.

How to detect ClickFix in your organisation

Detecting ClickFix relies mainly on endpoint telemetry and behavioural rules rather than signatures.

Endpoint detection (EDR)

The most valuable signals are in the process tree. A telltale pattern is a browser (chrome.exe, msedge.exe) or the explorer.exe process, via the Run box, spawning powershell.exe, mshta.exe or cmd.exe with obfuscated command lines, Base64 strings or remote downloads. A good EDR or XDR should alert on these anomalous parent-child chains.

Another key source is Windows's RunMRU registry key, which stores the history of the Run box. The presence of long or encoded PowerShell commands in that key is an almost unmistakable indicator of a ClickFix compromise.

Detection rules and threat hunting

Writing behavioural rules for the SIEM and the EDR around these process relationships is the most robust approach. For analysing the downloaded samples, YARA rules remain useful for identifying specific payload families once the second-stage binary is captured. Combining endpoint behaviour detection with proactive hunting over RunMRU and PowerShell logs (with Script Block Logging enabled) covers the noisiest phases of the attack.

Preventive controls

  • Restrict or monitor PowerShell use for users who do not need it, and enable constrained language mode where feasible.
  • Consider disabling the Run box (Win + R) via group policy for user profiles that do not require it.
  • Filter newly registered domains and malvertising categories through DNS and proxy.
  • Strengthen phishing-resistant MFA to limit the impact of credential theft. Keep an important distinction in mind: phishing-resistant MFA protects the login moment, but it does not stop session hijacking. Many of these payloads are infostealers that steal already-authenticated session cookies and tokens; by replaying them, the attacker gets in without going through MFA again. For that risk, complement MFA with device-bound tokens (token binding), short sessions with prompt revocation, conditional access and detection of anomalous session reuse (use from an IP, geography or device different from the original).

Awareness: the message people must internalise

The most effective defence against ClickFix is a well-trained human reflex. The message must be unambiguous: no website, no CAPTCHA and no legitimate document will ever ask you to open the Run window, PowerShell or the Terminal and paste a command. If a page gives you those instructions, it is an attack, without exception.

It is worth building this scenario into your drills. Just as employees are trained against spear phishing, a good red team exercise should include a controlled ClickFix campaign to measure how many users actually run the command and to reinforce the message with real cases from the organisation itself. Abstract awareness yields little; awareness built on a drill people have lived through yields far more.

Frequently asked questions

Does ClickFix only affect Windows?

No. Although most campaigns target Windows by abusing the Run box and PowerShell, there are macOS variants that instruct the victim to open Terminal and paste commands delivering Atomic Stealer, plus Linux adaptations. The principle (getting the user to run the command) is independent of the operating system.

Does an antivirus stop a ClickFix attack?

Not reliably on its own. Because the user runs the command manually through legitimate system binaries, many signature-based solutions do not block it. Effective defence combines endpoint behaviour detection (EDR/XDR), monitoring of the RunMRU key and PowerShell logging, and above all user awareness.

How do I tell a real CAPTCHA from a ClickFix fake CAPTCHA?

A legitimate CAPTCHA is solved inside the browser: identifying images, ticking a box or solving a puzzle. It will never ask you to press Win + R, open PowerShell or Terminal, or paste and run text in a system window. Any "human verification" that demands those steps is a ClickFix attack.

Why has ClickFix grown so much in 2025?

Because it solves the attacker's problem cheaply and effectively: it avoids scannable attachments and patchable exploits, abuses signed binaries and exploits an awareness gap. The ESET Threat Report H1 2025 recorded a 517% increase between two consecutive half-years, making it one of the fastest growing initial access techniques of the period.

Test your company's human resilience

ClickFix proves that the most exploitable link is not always unpatched software, but a user willing to "fix" a problem that does not exist. At Secra we design social engineering exercises and controlled campaigns that measure exactly how your workforce would respond to a fake CAPTCHA, and we turn the results into actionable training. Discover our red team service or contact us to plan a tailored assessment.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article