![\"ClickFix:](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/04\/29155621\/what-is-clickfix-copyfix.png\")
<\/a>ClickFix attack \u2013 how to infect your own computer with malware in three easy steps. Source<\/a><\/p><\/div>\n This technique earned itself the name ClickFix because usually the notification contains a button, the name of which is somehow related to the verb \u201cto fix\u201d (Fix, How to fix, Fix it\u2026), which the user needs to click to solve the alleged problem or see instructions for solving it. However, this isn\u2019t a mandatory element \u2014 the need to launch some code can be justified by the requirement to check the computer\u2019s security, or, for example, to confirm that the user is not a robot. In this case, the Fix button can be omitted.<\/p>\n An example of instructions for confirming that you\u2019re not a robot. Source<\/a><\/p><\/div>\n The scheme may differ slightly from case to case, but attackers typically give the victim the following instructions:<\/p>\n So what actually happens? The first action (clicking the button to copy the code that solves the problem) copies some script invisible to the user to the clipboard. The second (pressing the key combination [Win] + [R]) opens the Run window, which in Windows is designed to quickly launch programs, open files and folders, and enter commands. In the third (pressing the combination [Ctrl] + [V]), the PowerShell script is pasted into Run window from the clipboard. And finally, with the fourth action (pressing [Enter]), the code is launched with the current user privileges.<\/p>\n As a result of executing the script, malware is downloaded and installed onto the computer \u2014 with the specific malicious payload varying from campaign to campaign. Thus, what we get is the user running a malicious script on their own system thereby infecting his own computer.<\/p>\n Sometimes attackers create their own websites and lure users to them using various tricks. Or they hack existing websites and force them to display a pop-up window with instructions. In other cases similar instructions are delivered under various pretexts via email, social networks, or even through instant-messengers. Here are some typical scenarios of using this technique in attacks:<\/p>\n A classic scenario in which the visitor doesn\u2019t see the page they expected to and is told they need to install a browser update to display it.<\/p>\n Another standard tactic: the user isn\u2019t allowed to view a certain document in Microsoft Word or PDF format. Instead, they\u2019re shown a notification asking to install a plugin for viewing the PDF or \u201cWord online\u201d.<\/p>\n In this case attackers substitute the file format. The victim sees a .pdf or .docx icon, but in reality clicks on the HTML file that opens in the browser. Then everything is similar to the previous case \u2014 what are needed are: a plugin, malicious instructions, and the familiar \u201cHow to fix\u201d button.<\/p>\n A more unusual variation of the ClickFix tactic is used on fake Google Meet or Zoom websites. The user receives a link for a video call, but \u201cis not allowed to join\u201d it, because there are problems with their microphone and camera. The message \u201cexplains\u201d how to fix it.<\/p>\n Finally, the most curious version of the attack using ClickFix: the site visitor is asked to complete a fake CAPTCHA to prove they\u2019re not a robot. But the required proof is, of course, is to follow the instructions written in the pop-up window.<\/p>\n Prove you\u2019re not a robot \u2013 to do this, run a malicious script on your computer. Source<\/a><\/p><\/div>\n The simplest mechanism for protecting your company from attacks using the ClickFix technique involves blocking the [Win] + [R] key combination in the system \u2014 it\u2019s hardly needed at all in the day-to-day work of the typical employee. However, this isn\u2019t a panacea \u2014 as we already wrote above, in Windows 11 the script can be launched from the search bar, and some variations of this attack use more detailed instructions in which the user is told how to manually open the Run window.<\/p>\n Therefore, protective measures, of course, should be comprehensive and primarily aimed at training employees. It\u2019s worth conveying to them that if someone seeks any manual manipulations with the system \u2014 it\u2019s an extremely alarming sign.<\/p>\n Here are some tips on how to protect your organization\u2019s employees from attacks using ClickFix tactics:<\/p>\n An infection tactic called ClickFix is becoming increasingly popular among cybercriminals. We explain how such attacks work and how to protect your company against it.<\/p>\n","protected":false},"author":2484,"featured_media":53353,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052,2683],"tags":[513],"class_list":{"0":"post-53348","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"category-threats","11":"tag-social-engineering"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/what-is-clickfix\/53348\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/what-is-clickfix\/28798\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/what-is-clickfix\/24030\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/what-is-clickfix\/28910\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/what-is-clickfix\/39442\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/what-is-clickfix\/29073\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/what-is-clickfix\/34852\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/what-is-clickfix\/34485\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/social-engineering\/","name":"social engineering"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2484"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53348"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53348\/revisions"}],"predecessor-version":[{"id":53352,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53348\/revisions\/53352"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53353"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>\n
Typical attacks using the ClickFix technique<\/h2>\n
1. Unable to display the page, need to refresh the browser<\/h3>\n
2. Error loading a document on a website<\/h3>\n
3. Error opening a document from email<\/h3>\n
4. Problems with the microphone and camera in Google Meet or Zoom<\/h3>\n
5. Prove that you\u2019re not a robot \u2013 fake CAPTCHA<\/h3>\n
<\/a>How to protect yourself from ClickFix attacks?<\/h3>\n
\n