New social engineering alert: #ClickFix tricks users into pasting malicious code from the browser clipboard into their device terminal, leading to malware like RATs and stealers. Stay vigilant and protect your browser! 
Read more: https://www.bleepingcomputer.com/news/security/inside-a-real-clickfix-attack-how-this-social-engineering-hack-unfolds/ #CyberSecurity #Malware #Infosec #newz
Administered by:
#clickfix
0 posts0 participants0 posts today
.hta files are still going strong. In 2025.
During routine infrastructure hunting, CloudSEK’s TRIAD uncovered a Clickfix-themed malware delivery site in active development, associated with the Epsilon Red ransomware. Unlike previous campaigns that copy commands to clipboards, this variant urges victims to visit a secondary page, where malicious shell commands are silently executed via ActiveX to download and run payloads from an attacker-controlled IP. Social engineering tactics, such as fake verification codes, are used to appear benign. Pivoting into related infrastructure revealed impersonation of services like Discord Captcha Bot, Kick, Twitch, and OnlyFans, as well as romance-themed lures. Epsilon Red was first observed in 2021 and is loosely inspired by REvil ransomware in ransom note styling, but otherwise appears distinct in its tactics and infrastructure.
www.cloudsek.comThreat Actors Lure Victims Into Downloading .HTA Files Using ClickFix To Spread Epsilon Red Ransomware | CloudSEKCloudSEK discovered a new Epsilon Red ransomware campaign targeting users globally via fake ClickFix verification pages. Active since July 2025, threat actors use social engineering and impersonate platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files through ActiveX. This leads to silent payload downloads and ransomware deployment. Users are urged to disable ActiveX, block attacker IPs, and train against such lures.
Szczegółowa analiza techniczna nowej kampanii ukierunkowanych ataków wykorzystujących metodę #ClickFix w celu dostarczenia złośliwego oprogramowania, przygotowana przez Irka Tarnowskiego, który swego czasu napisał sporo dobrych tekstów do @zaufanatrzeciastrona
A detailed technical analysis of a new campaign of targeted attacks using the ClickFix method to deliver malware
Medium · Dissecting the ClickFix User-Execution Attack and Its Sophisticated Persistence via ADS
#ClickFix went from virtually non-existent to the second most common attack vector blocked by #ESET, surpassed only by #phishing. This novel social engineering technique accounted for nearly 8% of all detections in H1 2025. #ESETresearch
ClickFix lures users by displaying bogus error messages followed by quick fix instructions, including copy-pasting malicious code. Running the code in the victim’s command line interpreter delivers malware such as #RATs, infostealers, and cryptominers.
Between H2 2024 and H1 2025, ESET’s detection for ClickFix, HTML/FakeCaptcha, skyrocketed by 517%. Most detections in ESET telemetry were reported from Japan (23%), Peru (6%), and Poland, Spain, and Slovakia (>5% each).
What makes #ClickFix so effective? The fake error message looks convincing; instructions are simple, yet the copied command is too technical for most users to understand. Pasting it into cmd leads to compromise with final payloads, including #DarkGate or #LummaStealer.
While #ClickFix was introduced by cybercriminals, it’s since been adopted by APT groups: Kimsuky, Lazarus; Callisto, Sednit; MuddyWater; APT36. NK-aligned actors used it to target developers, steal crypto and passwords from Metamask and #macOS Keychain.
#ClickFix uses psychological manipulation by presenting fake issues and offering quick solutions, which makes it dangerously efficient. It appears in many forms – error popups, email attachments, fake reCAPTCHAs – highlighting the need for greater vigilance online.
Read more in the #ESETThreatReport:
https://welivesecurity.com/en/eset-research/eset-threat-report-h1-2025
2025-07-15 (Tuesday): Tracking #SmartApeSG
The SmartApeSG script injected into page from compromised website leads to #ClickFix style fake verification page. ClickFix-ing you way through this leads to a #NetSupportRAT infection.
Compromised site (same as yesterday):
- medthermography[.]com
URLs for ClickFix style fake verification page:
- warpdrive[.]top/jjj/include.js
- warpdrive[.]top/jjj/index.php?W11WzmLj
- warpdrive[.]top/jjj/buffer.js?409a8bdbd9
Running the script for NetSupport RAT:
- sos-atlanta[.]com/lal.ps1
- sos-atlanta[.]com/lotu.zip?l=4773
#NetSupport RAT server (same as yesterday):
- 185.163.45[.]87:443
I finally stumbled upon a real #ClickFix attack in the wild. My favorite weather page presented the screen as shown. It doesn't take much tech knowledge to know these instructions are pure bullshit.
Now here's what's interesting. I reloaded the page, normal page came up. Cleared the cookies, normal page. Tried a different browser, normal page. So is it random? Should I alert the site owner?
#ClickFix is a social engineering technique that uses fake verification pages and clipboard hijacking to convince people to click and keyboard stroke their way to an infection. So let's categorize #FileFix properly in the pantheon of ClickFix Attacks.
FileFix: A ClickFix page that asks you to past script into a File Manager window.
#RunFix: A ClickFix page that asks you to paste script into a Run window
#TermFix: A ClickFix page that asks you to paste script into a terminal window (cmd.exe console or PowerShell terminal).
We cool with that? Any others types I'm missing?
Are we still on about the MotW flaws? I'm not sure anyone pays attention to that anyway.
https://www.darkreading.com/endpoint-security/clickfix-spin-off-bypassing-key-browser-safeguards
https://www.europesays.com/us/27358/ FBI Warning Issued As 2FA Bypass Attacks Surge — Get Prepared #2FA #AirlinesCyberattack #Business #ClickFix #FBIAlert #FBIRansomwareAlert #FBIWarning #ITHelpDeskHack #MFA #Ransomware #ScatteredSpider #UnitedStates #UnitedStates #US
https://www.europesays.com/us/24992/ FBI Warning Issued As 2FA Bypass Attacks Surge — Get Prepared #2FA #AirlinesCyberattack #Business #ClickFix #FBIAlert #FBIRansomwareAlert #FBIWarning #ITHelpDeskHack #MFA #Ransomware #ScatteredSpider #UnitedStates #UnitedStates #US
ESET Threat Report H1 2025: #ClickFix attacks surge 500%, SnakeStealer tops infostealer charts, and NFC fraud jumps 35x. Plus, chaos in the ransomware underworld and a new Android adware menace—Kaleidoscope. Dive into the full report: https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf #ESETresearch
2025-06-18 (Wednesday): #SmartApeSG --> #ClickFix lure --> #NetSupportRAT --> #StealCv2
A #pcap of the traffic, the malware/artifacts, and some IOCs are available at https://www.malware-traffic-analysis.net/2025/06/18/index.html.
Today's the 12th anniversary of my first blog post on malware-traffic-analysis.net, so I made this post a bit more old school.
"We don’t just want payment; we want accountability." The malicious hackers behind the Interlock ransomware try to justify their attacks.
Learn more about what you need to know about Interlock in my article on the Tripwire blog.
https://www.tripwire.com/state-of-security/interlock-ransomware-what-you-need-know
www.tripwire.comInterlock ransomware: what you need to knowInterlock is a 2024 ransomware strain targeting both Windows and FreeBSD systems, making it more versatile than typical ransomware.
State-sponsored threat actors often leverage techniques first developed and deployed by cybercriminal actors. One example is #ClickFix, a highly effective technique that involves clever #socialengineering.
Listen as Proofpoint threat research experts Selena Larson, Sarah Sabotka, and Saher Naumaan deep dive into how modern #espionage and #cybercrime are increasingly blurring lines.
Stream DISCARDED now:
Apple Podcasts: https://brnw.ch/21wSNbM
Spotify: https://brnw.ch/21wSNbL
Web player: https://brnw.ch/21wSNbN
Reposting this since the first go-round coincided with some hosting trubz.
Here's a quick review of some of the easy wins against #ClickFix!
taggart-tech.comClickFix Fixes Ranked
More from 
Taggart 
I think I have a nice compromise #ClickFix ...fix for those places that just can't live without some Explorer niceties.
There is an alternative to the "Disable Windows shortcuts" GPO, which not only disables Win+ shortcuts, but also things like using UNC paths in the Explorer address bar.
Of course, Geoff Chappell lights the way.
I believe that GPO applies the REST_NORUN reg key and not REST_NOWINKEYS policies—despite the name.
If I apply the REST_NORUN reg setting directly, I get the same behavior as the GPO. The popup pictured here appears.
But if I instead set the REST_NOWINKEYS dialog, the Win+R shortcut is disabled, but other stuff (like UNC paths in explorer) still works! Now, this doesn't remove the Run command from the start menu, but it is at least a safety. Oh and one more thing: because that shortcut is now unregistered, you can register it yourself for something like a lil daemon that pops a message box saying Hey did a website tell you to do this? Don't!
You can try both settings.
REST_NORUN: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
REST_NOWINKEYS: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys
UPDATE: You can additionally disable only Win+R by setting HKEY_CURRENT_USER\SOFTWARE\Microsoft\CurrentVersion\Explorer\Advanced\DisabledHotkeys to a String value containing the Win shortcuts you want to disable. So a single R will do the trick. Note this only works at the user level.
New ClickFix campaign alert! This evolving cyberattack now targets both Windows & Linux users by tricking them into running malicious console commands under the guise of “browser updates” or CAPTCHA tests. 
Currently harmless but watch out! Threat actor: APT36 (Pakistan). Stay safe & informed! #CyberSecurity #ClickFix #Linux #Windows #APT36 #InfoSec #TechRadar #newz
TechRadar pro · New ClickFix campaign spotted hitting both Windows and Linux machines
FWIW, 100% of #ClickFix attacks I've seen have added some kind of inline comment at the end of the command string like I am not a robot to sell the ruse. Definitely worth a threat hunt on command line history.
2025-04-22 (Tuesday): Always fun to find the fake CAPTCHA pages with the #ClickFix style instructions trying to convince viewers to infect their computers with malware.
Saw #StealC from an infection today.
Indicators available at https://github.com/malware-traffic/indicators/blob/main/2025-04-22-IOCs-for-ClickFix-style-campaign-leading-to-StealC-infection.txt