Cybersecurity research has revealed that ClickFix campaigns have evolved into a more sophisticated malware delivery operation that relies on backend application programming interfaces to generate customized payloads for victims in real time. Security researcher Bert Jan Pals analyzed approximately 3,000 payloads collected from active ClickFix campaigns and found that attackers are now using automated infrastructure capable of producing unique malicious commands for each visitor while introducing new techniques designed to evade Windows security protections. The findings were presented during OrangeCon in early June and later published on June 30. Researchers believe these developments demonstrate how ClickFix continues to evolve from a simple social engineering technique into a scalable malware delivery platform that can adapt its payloads and infection methods based on the targeted system.
ClickFix relies on deceptive web pages that display fake CAPTCHA prompts or error messages instructing users to verify themselves by copying and running commands on their own systems. Hidden JavaScript automatically places a malicious command into the user’s clipboard, while the webpage instructs the victim to paste the command into Windows Terminal or another system utility and execute it. Since the victim voluntarily launches the command, there is typically no software vulnerability involved during the initial compromise and often no malicious file immediately written to disk for conventional antivirus products to detect. According to previous industry research, the effectiveness of this technique has grown significantly. ESET reported a 517 percent increase in ClickFix activity from late 2024 into the first half of 2025, while Microsoft’s 2025 Digital Defense Report stated that ClickFix accounted for 47 percent of initial access incidents investigated by its Defender Experts team. The technique has also been formally recognized within the MITRE ATT&CK framework under technique T1204.004. During his analysis, Pals discovered that modern ClickFix infrastructure now relies on backend servers that validate access tokens, record visitor activity, and generate newly obfuscated payloads for every request. When the researcher requested one hundred payloads from a single server, each response contained a different encrypted or encoded wrapper using combinations of Base64, AES, TripleDES, Rijndael, and Deflate. Despite the changing wrappers, the underlying script remained the same and ultimately executed within memory through a PowerShell runspace. Researchers cautioned that future versions may also begin generating unique malware for each victim instead of only changing the surrounding obfuscation.
The research also uncovered a new delivery technique intended to reduce detection by Windows Antimalware Scan Interface. Instead of placing the full malicious script onto the clipboard, newer ClickFix campaigns silently download an archive into the Downloads folder while copying only a short PowerShell orchestrator command. After the user pastes and executes this command, it moves the downloaded archive to a temporary directory, extracts its contents, and launches the embedded PowerShell script. Because the malicious payload remains inside the downloaded archive instead of appearing directly within the clipboard command, researchers believe this method is designed to reduce the likelihood of script inspection before execution. Pals also observed a change in how attackers instruct victims to execute the commands. Earlier ClickFix campaigns typically directed users to open the Windows Run dialog through the Windows and R keyboard shortcut. More recent campaigns increasingly instruct victims to use Windows Terminal through the Windows and X shortcut, which produces fewer forensic traces because it does not generate entries within the RunMRU registry key that investigators commonly review during incident response.
Researchers also noted that ClickFix has expanded beyond financially motivated cybercriminal operations and has been incorporated into campaigns associated with state backed threat groups. Previous investigations by Proofpoint linked ClickFix techniques to activity involving APT28, MuddyWater, and Kimsuky, while North Korean operators also adapted the approach into fake employment campaigns targeting cryptocurrency professionals through a tactic known as ClickFake Interview. Related variants including FileFix and DownloadFix have also emerged by abusing other trusted Windows utilities. Security company Expel previously estimated that one ClearFake campaign using similar techniques may have affected as many as 147,521 systems since late August 2025. According to Pals, defenders should prioritize monitoring suspicious process chains rather than relying solely on clipboard analysis. Common execution patterns observed during the research included explorer.exe or WindowsTerminal.exe launching PowerShell, cmd.exe, or msiexec.exe followed by outbound network communication. Researchers also recommend strengthening behavioral endpoint detection, limiting which applications can invoke scripting engines through application control policies, and educating users never to paste commands into Windows Terminal or other system utilities simply because a website instructs them to do so. During the investigation, researchers identified three payload servers used in active campaigns, including comicstar.lat, babybon.cfd, and merkantalolol.asia. While communication with these servers does not automatically confirm malware execution, it strongly indicates that a malicious command was likely delivered to a user’s clipboard during a ClickFix interaction.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.