What is ClickFix (the fake verification that installs the attack)?
ClickFix is a social engineering technique in which a fake page shows an error or a verification (for example, a fake “I'm not a robot” check) and induces the victim to copy a piece of text and run it on their own computer, pressing Win+R, pasting and hitting Enter. In that single gesture, they unknowingly run the attacker's command, which installs the threat. The victim opens the door themselves, which is why traditional antivirus barely sees the attack.
How the ClickFix scam happens
ClickFix flips the logic of an attack: instead of bypassing the machine's defenses, it convinces the person to run the command with their own hands. The steps are almost always the same.
The lure
The victim lands on a compromised or fake page, often through a phishing link or a search result, and sees a convincing prompt: an “I'm not a robot” check, a document error or a fake browser update.
The instruction
The screen asks for a “simple step to fix it”: press Win+R, paste and hit Enter, on Windows, or open Terminal, on Mac and Linux. It all looks like a routine technical fix.
The invisible copy
When the victim clicks the “verify” or “fix” button, the page silently copies a hidden command to the clipboard. The victim believes they copied nothing.
The victim runs it
When they paste and press Enter, it is the attacker's command that runs. It downloads and installs the real payload: an information stealer, ransomware or a remote access tool.
Source: 2025 threat reports that documented the technique and its growth (ESET Threat Report H1 2025) and Microsoft threat intelligence (2025).
How to recognize a ClickFix
- Any page asking you to press Win+R, open Terminal or paste a command is an immediate red flag. No legitimate verification, update or CAPTCHA needs that.
- An “I'm not a robot” check that ends by asking you to “paste” something, instead of just ticking a box or clicking images.
- A fake document, online meeting or browser error that offers the “fix” in a few clicks, always in a hurry.
- Technical instructions handed to someone non-technical, with a tone of urgency (“do it now or you'll lose access”).
- A step that mentions “PowerShell”, “cmd” or a long, scrambled piece of text you do not understand.
Why ClickFix exploded
ClickFix grew so fast because it solves the attacker's biggest obstacle: technical defenses. Antivirus and email filters watch attachments and downloaded files; here there is no attachment, it is the person who types the command, and the system reads it as a legitimate user action. In the first half of 2025, ClickFix attacks rose 517% and the technique became the second most common vector, behind only phishing (ESET, 2025). It works on Windows, Mac and Linux, and delivers everything: information stealers, ransomware and remote access tools. The scale is striking too: a single campaign compromised more than 250 legitimate sites across more than 12 countries to display the fake verification (Rapid7, 2025). With a breach costing an average of $ 4.44 million (IBM, 2025), one convincing click gets expensive.
How to protect the company from ClickFix
ClickFix attacks behavior, not the machine. The defense combines one clear rule for people with technical layers that catch whatever slips through.
- Teach a golden ruleNo legitimate site, verification or update asks you to press Win+R, open Terminal or paste a command. That single sentence, known by the whole team, stops most of these attacks.
- Train with simulationsRecurring awareness, with hands-on tests, teaches the team to recognize the lure before acting. It is the cheapest defense and the one that pays off most.
- Run behavior-based endpoint defenseAdvanced endpoint defense watches what was executed and interrupts the malicious command even when it was the user who ran it.
- Reduce execution powerLimiting who can run commands and programs (least privilege) and restricting tools like PowerShell in daily use shrinks the damage of a wrong click.
- Cut the source and the destinationEmail security and DNS filtering block the fake page that shows the lure and the domain the payload would be downloaded from, before the command ever runs.
In practice
In ClickFix, the victim types their own attack. That is why the strongest defense is not software, it is a sentence every employee should know by heart: no site asks you to paste a command.
How Zamak handles ClickFix
Zamak Technologies treats ClickFix as what it is, a scam that targets people, and responds on two fronts alongside your team: continuous awareness, so no one falls for the fake verification, and monitored advanced endpoint defense, which interrupts the command when someone clicks anyway. A good starting point is the phishing test, which measures in minutes how your team reacts to a real lure. It is part of Cybersecurity in the Zamak Method.