ClickFix: The social engineering attack disguised as technical support

A new wave of cyberattacks is exploiting users’ trust in routine computer processes through a technique known as “ClickFix.” This sophisticated social engineering method tricks victims into manually executing malicious scripts by disguising the attack as a standard verification or troubleshooting procedure.

How ClickFix Works

The ClickFix attack begins when a user encounters what appears to be a technical error or verification requirement. Unlike traditional phishing that relies on malicious links or attachments, ClickFix manipulates users into becoming unwitting accomplices in their own system compromise.

The attack typically unfolds in three stages:

1. Initial Contact: Victims encounter a fake error message, often on compromised websites or through phishing emails. These messages mimic legitimate system errors or CAPTCHA verification screens.
2. The “Fix” Instructions: Users are presented with what appears to be helpful technical support instructions. A common sequence involves:
   1. Pressing Windows + R to open the Run dialog
   2. Using CTRL + V to paste a command (already copied to their clipboard)
   3. Pressing Enter to execute
3. Payload Delivery: The executed command downloads and installs malware, ranging from information stealers to remote access tools.

Current Campaign Trends

According to recent analysis by Group-IB, ClickFix campaigns have evolved significantly since their emergence. The technique has been adopted by various threat actors, from cybercriminals to state-sponsored groups.

Proofpoint researchers have identified several nation-state actors employing ClickFix:

• North Korean-affiliated TA427 targeted think tanks with emails leading to QuasarRAT malware installation
• Iranian-linked TA450 impersonated Microsoft security updates to deploy remote management tools
• Russian-suspected UNK_RemoteRogue focused on defense contractors using fake Office error pages

Industry-Specific Targeting

The hospitality sector has become a particular focus for ClickFix campaigns. As reported by KrebsOnSecurity, attackers are impersonating Booking.com to target hotel staff with messages about negative reviews or booking inquiries. These campaigns exploit the industry’s customer-service mindset, where employees are conditioned to quickly resolve guest issues.

The KongTuke campaign, active since September 2024, demonstrates the scale of these operations. It uses compromised websites to inject scripts that collect system information before redirecting users to malicious payloads.

Recognition and Prevention

Users should be alert to several red flags:

• Any “error fix” requiring manual command execution
• CAPTCHA or verification processes asking for keyboard shortcuts
• Pop-ups with step-by-step instructions involving the Run dialog
• HTML email attachments claiming to be Office documents

Legitimate technical support will never ask users to:

• Open Run commands and paste unknown scripts
• Bypass security warnings through manual processes
• Execute PowerShell commands to “fix” viewing issues

Protecting Your Organization

Organizations can implement several measures to combat ClickFix attacks:

1. User Education: Train employees to recognize social engineering tactics, especially those mimicking technical support
2. Email Security: Deploy advanced email filtering to detect HTML attachments with embedded scripts
3. Endpoint Protection: Ensure systems can detect and block PowerShell abuse
4. Incident Reporting: Establish clear channels for reporting suspicious “fix” instructions

The Evolution Continues

What makes ClickFix particularly concerning is its adaptability. Attackers continuously refine their lures, from fake browser updates to document viewing errors. The technique’s success relies not on technical vulnerabilities but on human psychology—our instinct to follow instructions when faced with technical problems.

As Group-IB notes, the variety of ClickFix implementations suggests this technique will remain a persistent threat. Organizations must prepare their users to think critically when encountering any “helpful” error resolution steps, especially those requiring manual command execution.

If you encounter suspicious verification requests or error fixes requiring the Windows + R sequence, stop immediately and contact your IT security team before proceeding.