Back to threat alerts

ClickFix Campaign: Evolution of Social Engineering and Infostealer Distribution

Threat actors are increasingly pivoting toward social engineering strategies, specifically towards the "ClickFix" tactic that tricks users into manually running malicious scripts. This technique effectively circumvents standard perimeter defences, such as "Mark-of-the-Web" (MOTW) controls and browser sandboxes.

Threat alert
December 3, 2025

Analysis identifies ClickFix as the dominant delivery vector for sophisticated infostealers (e.g., LummaC2, RedLine) and Remote Access Trojans (e.g., NetSupport, DarkGate)

Key Report Findings:

  • Evolution: New, stealthy variants are exploiting the Windows Explorer address bar ("FileFix") and Admin PowerShell ("TerminalFix").
  • Sophistication: Payloads are being hidden via steganography and blockchain-based "EtherHiding."
  • The Gap: Significant visibility blind spots regarding clipboard activity and trusted parent processes like explorer.exe.

Delivery & Social Engineering Mechanism

The success of the "ClickFix" tactic relies entirely on high-fidelity social engineering. Threat actors design deceptive webpages that perfectly mimic legitimate service errors or browser verification prompts. These lures are distributed through three primary channels: compromised legitimate infrastructure, SEO poisoning (malvertising), and targeted phishing campaigns.

Technical Core: Weaponising the Clipboard

At its core, ClickFix weaponises the system clipboard using JavaScript. By abusing the modern browser "navigator.clipboard.writeText" API, attackers bind a payload to a deceptive UI element. When the user interacts with the page, the malicious script is surreptitiously copied to their clipboard, ready for manual execution.

Execution Vectors and Evasion:

Adversaries have diversified their execution methods to bypass specific security controls:

  • The Classic Run Dialog (ClickFix): Users are instructed to open the Windows Run dialog (Win+R) and paste the clipboard content. This causes explorer.exe to spawn the malicious process (PowerShell, mshta, or cmd), effectively severing the "web-to-process" chain and bypassing browser-based monitoring.
  • The File Explorer Variant (FileFix): This variant targets the Windows Explorer address bar by tricking users into pasting a PowerShell command disguised as a file path, attackers generate TypedPaths registry artefacts instead of RunMRU entries, bypassing Attack Surface Reduction (ASR) rules designed for the Run dialog.
  • Administrative Context (TerminalFix): This vector engineers immediate privilege escalation as users are guided to open an Admin Terminal (Win+X, then A), triggering a UAC prompt they are coached to accept.  
  • macOS Variant: Targeting Unix shells, this vector instructs users to paste commands into the Terminal. The payload typically involves a base64-encoded blob or a curl request piped directly to python3, delivering threats like the Atomic macOS Stealer (AMOS) to harvest Keychain data and crypto wallets.

The Payload Ecosystem

While the delivery mechanism is payload-agnostic, it is predominantly used to deploy information stealers and RATs that have evolved to exploit this technique.

  • Lumma Stealer (LummaC2): The most prevalent payload, operating as a Malware-as-a-Service (MaaS). Its low barrier to entry allows unskilled affiliates to generate automated "ClickFix" kits with fake CAPTCHA pages linked directly to their malware builds.
  • Rhadamanthys (Steganography): Representing the sophisticated end of the market, Rhadamanthys utilizes steganography. The initial script downloads a high-resolution image rather than an executable. The malware code is encrypted within specific pixel colour channels (such as the Alpha channel), extracted, and executed in memory to evade file-based antivirus scanning.
  • Remote Access Trojans (RATs): Beyond simple theft, this tactic deploys persistent threats like NetSupport RAT (a signed, legitimate tool abused for control) and DarkGate (a sophisticated loader often used as a precursor to ransomware operations).
Recommendations
  • Deploy ASR Rules: Leverage Microsoft Defender to block obfuscated scripts and prevent scripts from launching downloaded executables.
  • Enforce Executable Trust: Configure rules to block binaries that do not meet age or prevalence standards.
  • Restrict Scripting Tools: Use AppLocker to disable PowerShell for standard users and block mshta.exe entirely.
  • Harden Browser Settings: Implement policies that prevent websites from writing to the clipboard without user consent.