Sixfold surge of ClickFix attacks threatens corporate defenses

July 9, 2025

The ClickFix attack tactic represents something of an anomaly among social engineering methods. To some extent or another, all social engineering tactics depend on user ignorance, but perhaps none moreso than ClickFix, which requires the target to think that copying and pasting code from a website and running it in their local terminal is a legitimate CAPTCHA challenge. The only thing perhaps more shameful than the absolute brazenness of ClickFix is the fact that it is so effective. Since its inception in 2024, use of the ClickFix tactic has skyrocketed by more than 500%. It is now the second-most common attack vector after phishing.

Why exactly is it that ClickFix is so effective? There are two broad ways that ClickFix is deployed, and both have their own reason. The first is similar to older tech-support scams, but requires less hands-on-keyboard intervention. By using a fake error message, a set of commands to be copied and pasted into the command line can be presented as a solution. The average computer user is not capable of recognizing a fake vs. real error, not able to troubleshoot their system, not able to recognize malicious commands, and when confronted with the possibility of a nonfunctional computer tends to be so desperate that they are willing to try anything. This puts them in an ideal position to be victimized by ClickFix.

The other scenario in which ClickFix is employed is the CAPTCHA tactic. This capitalizes on user ignorance as to the purpose of CAPTCHA tasks. On a regular basis, users are tasked to perform seemingly nonsensical tasks, such as the deciphering of words or the recognition of images. If a user does not know the purpose of these tasks, which is to improve machine vision through human confirmation, they may not be surprised when a CAPTCHA asks them to copy and paste code into their machine. In their view, it may just be another random task. Therefore, in both the case of the error prompt and the CAPTCHA prompt, the main difficulty is ignorance, and therefore the main solution must be education. In the long run, similar to how Microsoft has disabled macros by default in their documents, a structural solution may have to be sought. In the meantime, users will need to be made aware on a large scale of the existence of the ClickFix tactic, its dangers, how to detect it, and how to avoid it.

More from Blackwired

September 10, 2025

Stealthy attack serves poisoned web pages only to AI agents

New AI browser attack targets agents via hidden prompts, exploiting unique agent fingerprints to deliver invisible malicious code.

Read more
September 3, 2025

First AI-Powered Ransomware Created Using OpenAI's gpt-oss:20b Model

PromptLock is an AI-powered ransomware PoC using LLMs to generate dynamic, hard-to-detect, cross-platform attacks.

Read more
August 27, 2025

Chinese Hackers Silk Typhoon Escalate Cloud and Telecom Espionage

Silk Typhoon targets cloud via zero-days, supply chains, and trusted ties; monitor edge, patch fast to detect and defend.

Read more

© 2024 Blackwired. All Rights Reserved.