Clickfix is a social engineering trick that hackers are increasingly using to spread malware in early 2024.
It tricks you into running malicious commands on your own computer, and attacks have become more common than ever. Hackers have them install password-stolen malware by pressing a series of keyboard shortcuts under the pretense of proving they’re not bots.
A bot is an automated computer program that performs repetitive tasks online, and often mimics human behavior. By tricking you into proving they’re not bots, hackers will exploit the lack of understanding about these automated systems to unconsciously install malware.
Be protected and informed! Get security alerts and expert technical tips – Sign up for The CyberGuy Report in Cart now
People who work on laptops (Kurt “Cyberguy” Knutsson)
What you need to know
As reported by Krebsonsecurity, the latest ClickFix campaign organizes password-steel malware installations under the routine “BeLify You Are a Human” test guise. Initially, it was seen in targeted attacks, but now it has become mainstream and has impacted industries such as hospitality and healthcare.
Scams start when you visit hacked or malicious websites and see fake Captcha-style prompts. Clicking the (I’m not a robot) button triggers a series of instructions asking you to press a specific keyboard shortcut. First, you are told to press Windows + R and the Windows Run dialog opens. You will then be told to press Ctrl + V to paste the malicious script copied from the virtual clipboard of your website. Press Enter and it will run a script that downloads and runs the malware.
What is Artificial Intelligence (AI)?
Cybercriminal uses phishing emails and malicious websites to spread Clickfix. The hospitality industry is highly targeted, with attackers impersonating Booking.com and sending fake emails referring to guest reviews and promotions. Click on these email links to see a Clickfix trap. Healthcare workers are also targeted, with malicious code embedded in the widely used physical therapy site HEP2GO.
When Clickfix comes onto your PC, it installs a variety of malware, including password steelers such as Xworm, Lumma Stealer, and Danabot. Some versions provide remote access trojans such as Venomrat and Asyncrat, allowing attackers to have full control over the system. Others deploy NetSupport rats, a remote access tool commonly misused for cyber espionage.
Running a keypress for this series will prompt Windows to download password stealing malware. (Krebsonsecurity)
Hidden Costs of Free Apps: Your Personal Information
Previous clickfix attacks
Security researchers believe Clickfix has been targeting people since March 2024. In June 2024, we reported that users were tricked into downloading harmful code when they posed as fake Google Chrome, Word, and OneDrive errors. Just like in the current campaign, the attacker prompted the victim to click on the button that copied “Fix” to the clipboard and then paste it and run it in a dialogue or PowerShell prompt.
By November 2024, attackers had expanded their targets to Google Meet users. The scam started with an email containing a link to a Google meeting session, but was often disguised as being seen from the victim’s organization. This link can lead to invitations for meetings, webinars, or online collaborations. Clicking on the link pointed the victim towards a fake Google Meet page. This gave a warning claiming there was a problem with the PC, such as a microphone, camera, or headset issue.
The attack was also seen on fake Chrome error pages and Facebook login prompts, spreading the malware even further to different platforms, increasing its reach.
This malware attack pretends to be a capture aimed at separating humans from the bot. (Krebsonsecurity)
Outmart hackers trying to steal your identity
Six ways to stay safe from ClickFix malware
Consider implementing these six key security measures to protect yourself from the evolving threats of ClickFix malware that continue to target users through sophisticated social engineering tactics.
1. Be skeptical of Captcha’s prompt. Legal Captcha tests do not require you to press Windows + R, copy commands, or paste them into PowerShell. If the website tells you to do this, it’s probably a scam. Close the page immediately and avoid interacting with it.
2. Do not use powerful antivirus software by clicking on the link from an unverified email. Many Clickfix attacks start with phishing emails that are pretending to be trustworthy services such as Booking.com and Google Meet. Be sure to check the sender before clicking on the link. If your email appears urgent or unexpected, instead of clicking on the link in the email, go directly to the company’s official website.
Click here to get your Fox business on the go
The best way to protect yourself from malicious links to install malware is to install powerful antivirus software on all your devices, as it may access your personal information. This protection can also warn you that it will phish email and ransomware scams and keep your personal information and digital assets safe. Get the best 2025 Antivirus Protection Winners picks for Windows, Mac, Android and iOS devices.
3. Enable 2-factor authentication: Enable 2-factor authentication whenever possible. This adds an additional layer of security by requiring validation of the second form, including the password, as well as the code sent to the phone.
4. Keep your device updated: Regular updates to your operating system, browser and security software ensure the latest patches for known vulnerabilities. As cybercriminals take advantage of outdated systems, enabling automatic updates is an easy and effective way to stay protected.
5. Monitor your account for suspicious activity and change your password. Check your online account if you interact with suspicious websites, phishing emails, or fake login pages. Look for unexpected login attempts, unauthorized password resets, or unrecognized financial transactions. If you think something is missing, change your password immediately and report your activity to the relevant service provider. Also, consider using a password manager to generate and store complex passwords. For more information about my best expert reviewed password managers of 2025, click here.
6. Invest in Personal Data Deletion Services: Consider using services that monitor your personal information and warn you of potential violations or misuse of your data. These services can provide early warning signs of identity theft and other malicious activity resulting from Clickfix or similar attacks. Although there is no service that promises to delete all data from the internet, deleting a deletion service is great if you want to constantly monitor and automate the process of continuously deleting information from hundreds of sites over a long period of time. Please see the top picks for data deletion services.
Massive security flaws put the most popular browsers at risk with MAC
Important points of cart
ClickFix reminds us that malware doesn’t always depend on complex exploits. In many cases, you need to follow the wrong instructions. Attackers are improving their methods and are more persuading than ever before scams such as fake captures, phishing emails, and deceptive pop-ups. The best way to go ahead is to question what appears to be a little farther away. If the website runs a command or asks you to paste something into PowerShell, it’s a red flag. If your email pressures you to click on a link, check first.
Click here to get the Fox News app
Do you think tech companies are doing enough to stop malware like Clickfix? Please let us know by writing to cyberguy.com/contact.
For more information about my tech tips and security alerts, head to cyberguy.com/newsletter and subscribe to our free Cyberguy Report newsletter.
Please ask your cart or tell us what stories you would like us to cover.
Follow your cart on his social channels:
Answers to the most accused Cyber Guy questions:
New from Cart:
Copyright 2025 cyberguy.com. Unauthorized reproduction is prohibited.
