Summary5 min read

The Defender's Advantage Podcast

Episode Summary: The Rise of ClickFix

Host: Luke McNamara (Google Threat Intelligence Group)
Guest: Dima Lentz (Security Engineer, Google Threat Intelligence Group)
Date: July 15, 2025

Episode Overview

This episode focuses on the emerging “ClickFix” technique in cyberattacks—a growing, human-centric social engineering approach that leverages fake problem prompts (like captchas, expired certificates, or security warnings) to trick users into running malicious commands on their systems. The discussion covers its evolution across cybercrime and nation-state actors, technical and human factors making ClickFix attractive, notable campaigns, defenses organizations might consider, and predictions about the technique’s future development.

Key Discussion Points & Insights

1. Defining ClickFix (01:35)

ClickFix is a social engineering method where users are convinced—via deceptive prompts—to copy and run malicious commands, initiating an infection chain.
- Commands often masquerade as solutions to common computer issues (e.g., “fixing” DNS problems, resolving expired certificates, or enabling site access).
- While not brand new, activity spiked around August 2024, with prevalence continuing to increase.

Quote:

“Qlikfix is a social engineering technique that tries to convince user into copying and running malicious command on their systems which in turn will lead to the infection chain and run a certain malware...”
— Dima Lentz (01:35)

2. Why Threat Actors Favor ClickFix (04:01)

Lower Barriers & High Success:
- Unlike technical exploits (like zero-days), ClickFix is comparatively simple to deploy.
- Leverages user trust—no pop-up warnings or antivirus blocks since the user runs native, often legitimate administrative tools (e.g., PowerShell, MSHTA).
- The commands often have minimal footprint and evade traditional defenses.

Quote:

“The whole idea of Qlik Fix is lucrative to threat actors... on the social engineering side... the trust is higher... There is no smart screen notifications, there is no warning... On the technical side... antiviruses, web browser security features... would not react to something like this.”
— Dima Lentz (04:01)

3. Behavioral Engineering & MFA Fatigue Comparison (06:39)

ClickFix exploits behavioral patterns—users are habituated to deal with frequent captchas and browser issues.
The attack bears resemblance to MFA fatigue attacks: repeated prompts lower user skepticism, leading to compliance.

4. Spectrum of Adopters: From Cybercrime to Espionage (08:07)

Cybercrime Origin: Initially popular for malware (especially info-stealers) distribution among financially-motivated actors.
Espionage Uptake: Increasingly seen in state-sponsored campaigns against NGOs, governments—often with more targeted “document access” or device validation lures.

Ecosystem Evolution Example:

ANK5142: Transitioned from fake browser update pop-ups to ClickFix for distributing multi-stage malware like “Clear Shot,” commonly targeting credentials.
ANK5692 & Others: Used similar tricks to deploy loaders and initial-access tools, sometimes shifting toward info-stealers as payloads.
APT33: Used ClickFix in targeted attacks disguised as document access checks (e.g., fake registration steps for PDF access).

5. Technical Delivery & Variants (10:53 | 11:03)

Compromised Legitimate Sites: Most effective—users trust familiar sites, making fake overlays more convincing.
Targeted Emails/Spam: In espionage, users receive targeted lures tied to document access or identity verification.

6. Campaign Examples & Ingenious Lures (12:58 | 13:13)

Template Diversity: Adversaries rapidly iterate fake prompts—Defender (Windows security) alerts (complete with sounds), various business productivity brands, etc.
Dynamic Trust Signals: Customization for operating systems—bash scripts for macOS users, details like use of legitimate notification sounds.

Quote:

“One of the recent campaigns... was faking Defender Alert, including the audio notification... This Defender notification would ask to run certain commands... which in fact will start the infection.”
— Dima Lentz (13:13)

7. Defensive Measures: Limitations and Recommendations (15:54)

Technical Barriers:
- PowerShell restrictions and script signatures largely ineffective; because users manually run benign-appearing commands.
- Advanced lockdowns (limiting PowerShell itself) are often impractical for business environments.
- Possible detection avenue: monitoring JavaScript clipboard write events (execCommand("copy"); or navigator.clipboard.writeText)—though adversaries may quickly adjust if this becomes widespread.
User Awareness is Critical:
- Continuous security awareness training: educate about novel lures beyond traditional phishing.
- Highlight that user-initiated command execution—even when prompted by trusted-looking sources—should be scrutinized.

Quote:

“Ongoing security awareness training is essential here because the novelty of this attack is something which I think makes it so successful.”
— Dima Lentz (17:56)

8. Technique Evolution & Future Outlook (18:46)

Platform Expansion: Initially Windows-focused; now seeing bash scripts for macOS—Linux may be next.
Obfuscation & Evasion: Kits becoming visually dynamic, using images instead of text to evade detection, greater obfuscation in core mechanisms.
- Example: Cold Reaver replaced on-screen command prompts with images, defeating some signature-based detections.
Telemetry and Feedback Loops: Attackers increasingly gather data from victims’ browsers to refine tactics, e.g., Cloudflare-branded kits using Telegram APIs for feedback and monitoring.
Broader Brand Abuse: Attackers likely to branch into other trusted services (e.g., GitHub, YouTube).

Quote:

“I think that will be one avenue where threat actors will potentially experiment with more platforms... We see already that kids become more dynamic and visually appealing which also increases trust and contributes to their success...”
— Dima Lentz (18:46)

Notable Quotes & Memorable Moments

On user conditioning:

“People are used to it, to be honest, so when they see this new type of captcha they’re not surprised... willing to follow the instructions.”
— Dima Lentz (04:01)
On campaign creativity:

“This experimenting with new avenues, how to infect, how to approach users is particularly interesting and I think the trend will continue. So more and more brandings... will be faked in this regard.”
— Dima Lentz (13:13)
Prediction:

“Clearly the success of this will likely drive or shape future actor investments and resources into continuing to experiment with what is the most successful way to socially engineer the end user.”
— Luke McNamara (22:29)

Key Timestamps

01:35 — What is ClickFix?
04:01 — Why it’s appealing to threat actors
08:07 — Who’s using ClickFix: crime and espionage
10:53–11:03 — Infection chain: Initial triggers and delivery mechanisms
12:58 — Notable campaigns and templates
13:13 — Defender Alert audio deception and campaign iteration
15:54 — Defenses and user awareness strategies
18:46 — Future predictions & technique evolution

Summary Takeaways

ClickFix leverages the user’s trust and computer habits, making infection chains both simple and effective for a variety of threat actors.
Adversaries are rapidly experimenting with prompts, brands, and delivery platforms while putting effort into evasion and feedback loops.
Technical controls have limited value; continual user education and adaptive monitoring of web/script behaviors are essential.
The threat is evolving—expect further adoption, diversification, and technical sophistication as attackers refine this low-signature, high-success approach.

For organizations:
Prioritize user education around new lures, and consider supplementing technical monitoring to flag suspicious clipboard or command behaviors initiated through browsers.

For defenders:
Stay alert to evolving ClickFix techniques, as adversaries are quick to adapt visuals, delivery mechanisms, and social engineering tricks to stay ahead.

Loading summary

Transcript24 lines

[00:02]
A
On the crime side we see a lot of traffic distribution systems like our crime groups which were previously associated with drive by malware delivery. Now adapting this click fix technique, a good example would be 5142 which was and still to be honest, a dominant player in the ecosystem.
[00:36]
B
Welcome to another episode of Mandiant Defenders Advantage podcast. I'm your host Luke McNamara. Today I am joined by Dima Lentz, a security engineer here at the Google Threat Intelligence Group. Dima, how are you doing today?
[00:51]
A
Look, I'm good, thank you. Thank you for having me on this podcast.
[00:55]
B
Well, I'm excited to delve into the the topic for today which is a bit of a belated one because the technique that we're talking about is something that's been going on at least since I think early 2024, probably even before that. You can correct me on there, but it's been something that we have talked about. I think we've probably put out some blogs around this in the past. It's certainly been in our reporting and it's not one that we have delved into. And that is the topic around the technique of click fix. I think there's a few other names around this but we'll use at least the term qlik fix to kick this off. So Dima, maybe just to kind of set the scene, what is this technique? What is qlik fix?
[01:35]
A
So qlikfix is a social engineering technique that tries to convince user into copying and running malicious command on their systems which in turn will lead to the infection chain and run a certain malware or malicious software on the computer. You are right, this is definitely not new. However we saw a huge uptick with this technique starting mid of 2024. There were definitely campaigns before that, but the prevalence increased significantly around August 2024 and the trend still continues right now. So this is typical initial access vector, primarily used for delivering further stages. Yeah, those commands that threat actors would try to convince user to execute usually disguise as some kind of solutions to common daily computer problems like passing the captcha fixing some issues. It could be something as technical as DNS issue or expiry site certificate or just like a problem with the online office or PDF reader.
[02:54]
B
So this can take a number of different forms. As you note the sort of pop up the problem that is presented to the user can look like many different things. It's a social engineering technique as you mentioned, used for kind of early initial access. What I find interesting about that is thinking Back to the MountEnds report this year and Some of the more common ways we're seeing threat actors break into organizations, you know you have exploits still making up over a third of initial access vector, initial access entry. And it's interesting there because that technique, if you're thinking about using an exploit on a router or some edge infrastructure, you don't need to have any interaction with the user, right? You're able to do that without any sort of social engineering. This technique, which as you noted, like we are seeing more usage of this is something that does require user interaction and so there are trade offs and there's benefits to that. What are some of the things you think about this technique as kind of writ large, why it is attractive to threat actors? And I think we'll talk a little bit later about some of the threat actors doing this, but just in general, why might a threat actor find this as an attractive way to gain access to an organization?
[04:02]
A
Right. So examples that you provided before, definitely interesting but more sophisticated and more difficult to actually utilize. Finding a zero day interimeter device is not a simple task in comparison to the Qlik Fix or fake captcha and the whole idea of Qlik Fix is lucrative to threat actors I think from two different angles. So first of all there is this human element to it and there is a technical aspect. So on the social engineering side this is relatively new or novel technique for many people so the trust is higher comparing to please run this binary for me on your machine. There is no smart screen notifications, there is no warning which will alert the user about something going wrong. So like the success chances is higher there. Captchas are also everywhere nowadays due to a constant abuse of major products, developers constantly introduce new captchas experimenting with different types of captures making it harder for automatic solutions to bypass them. And people are used to it to be honest so when they see this new type of captures they're not surprised as they're willing to to follow the instructions and to be honest it's actually relatively simple. Just three keystrokes and that's it. On the technical side Qlik Fix is also in a good spot so to say because in comparison to other infection chains where the infection is more automated, here the user actually starts the infection chain and or like many autumn like many security solutions like antiviruses, web browser security features that are designed to detect and block this malicious downloads and self execution malware would not react to something like this PowerShell MSHTA which are usually two leave of the land binaries used by Qlik Fix widely used for administrative purposes. So they they would not be blocked or restricted in many environments. And the disk footprint is also minimal with Qlik fix. So on both sides, Qlik fix looks like a great idea for threat actors to utilize.
[06:39]
B
And when you think about the sort of user interaction piece, I mean I think that makes a lot of sense. It is interesting. You noted captchas now are a common thing and fake captcha is another term. I should mention that this activity or this technique is referred on referred by. But it is something that is sort of a constant thing that we encounter in our lives. And it almost makes me think of the technique that some threat actors employ around MFA bypass fatigue or fatigue attacks where there is a push notification that they keep sending, keep instituting that the actual victim eventually just says okay, fine and click, click accept, right? There seems to be a similar sort of thing going on with the human where they get presented with this pop up and then just go about, you know, doing the thing, implementing the sort of steps that are required of them. So from that standpoint it certainly makes sense of why, why that could be very useful for social engineering. So let's get into some examples of how we've seen threat actors employ this. You know you mentioned this is something that not necessarily less sophisticated, not very sophisticated threat actors have to do. This is something that can be fairly easy for a less sophisticated threat actor to employ. What are the types of actors that we've seen do this? I think there's been some espionage actors, but a lot of cyber criminal, financially motivated threat actors. How do they employ and then sort of what are the follow on techniques once they've done this and gotten the user to successfully click through and implement what they're doing.
[08:07]
A
Right. So I think initially that was more a cyber crime technique like you use for distributing malware. But more and more state sponsored APD groups have incorporated this technique into their operation as well. On the crime side we see a lot of traffic distribution systems like our crime groups which were previously associated with drive by malware delivery. Now adapting this click fix technique. A good example would be ank5142 which was and still to be honest a dominant player in the ecosystem. So they shifted from the fake browser update pop ups like clear fake to the click fix. Last year also around August I believe so now say delivering this multi stage JavaScript downloader which we are tracking as clear Shot which downloads further payloads and in fact the machines, it's the main malware payload that we have observed would be different types of infoseillers but obviously depending on the environment, if it's more corporate environments, there could be more. We have seen things like Dark Gate and others. While for the personal computers, infosteelers is a dominant payload.
[09:42]
B
So this could be something that would be a precursor to potentially an info stealer being deployed, credentials being stolen and then subsequently used and say an extortion ransomware type event or could be used to gain initial access and sell that access directly to others in that ecosystem.
[09:59]
A
Right, right. So credentials infosteellers is a huge problem nowadays for all types of environments, be it corporate or personal. And access to credentials of the user could lead also to the compromise of the whole corporation or the corporate environment. But we have also seen like, for instance ANC 5692 which was also utilizing recaptcha sim lures were delivering loaders like Peak Light, Shadow Loader and others once again previously more back in 2024 they switched meanwhile more to the infostellers like Luma, but those loaders were delivering also initial access broker tools.
[10:54]
B
And for these pop ups or these fake captchas to appear on the user side, what typically does the threat actor need to do to kickstart that process?
[11:03]
A
Depends on the group. So the group ANK5142, the ones that I mentioned already, they utilize and compromise sites which is extremely successful technique people, be it once again in corporate environment or personally browsing the Internet, go into the websites that they trust and that they intentionally wanted to visit and then this fake capture thing pops up. There is already a built in trust into that website, therefore the user just like willing to follow and execute the instructions that say I presented. I mentioned some espionage actors. So on APT side it's more like spam delivery and targeting attacks against NGOs or government organizations. And in contrast to the fake captcha which is predominant, I would say type of click fix for the crime actors. On the APT side it's more about getting access to certain documents by proving the user identity or proving the device being registered or something like that. There was a campaign from APT33 which was utilizing Qlik Fix to deliver Panic Pulse and they were faking PDF documents. And in order to see the PDF documents a user was supposed to register their device, which as you might expect required some instruction to be executed. So depending on the type of the group and what depends on the campaign, different approaches to the user would be applied.
[12:59]
B
You've mentioned a few already, but I'm curious any particular campaigns or actors or particular sets of activity that have incorporated this technique that you found particularly interesting. As you've seen kind of threat actors employ this in different ways.
[13:14]
A
Once again, going back to UNCV142, they are pretty advanced and they experiment a lot. They incorporate new templates constantly. So those templates fake different types of platforms and products. One of the recent campaigns or templates that they had was faking Defender Alert, including the audio notification. So the user would be would be once again visiting the website as expected. So that's basically usually deployed on the compromise website. The website will be debased as a empty page and then on the right side like a notification from Defender will pop up, including the mess like there this Bing from Defender. So user is actually used at least the Windows user is. This would not be new for them. And this Defender notification would ask to run certain commands to fix potential infection on the machine, which in fact will start the infection. So this experimenting with new avenues, how to infect, how to approach users is particularly interesting and I think the trend will continue. So more and more brandings and more and more tools will be faked in this regard.
[14:43]
B
Wow. So that's interesting. They're not just mimicking, you know, brands or pop ups that an entity or individual in an organization would expect to see, but even mimicking the actual sounds that you might hear throughout your workday that again, don't really raise your kind of attention or security awareness. Maybe more so they're really the threat actors that are employing this technique are really thinking about what are the ways that we can really successfully engineer the user to engage in this in a way that is pretty low signature. And I guess maybe that is something. On that point you refer to the fact that there's a lot of constant iteration and they're trialing and experimenting with new ways to go about doing this. What are some of the ways for organizations that are thinking about this technique? One, I would imagine user awareness is key. As you said kind of earlier on, maybe the success of some of this, especially in early 2024, is that this wasn't something that a lot of users would be thinking, I need to be aware of this. Right. Phishing training, that's something a lot of organizations do, but this is a little bit different. But what are some of the things that you think organizations can do to help better secure themselves from this? Whether it's user training or more technical steps?
[15:54]
A
Yeah. Usually when it comes to PowerShell infections, many organizations will rely on script signatures, hoping that this will prevent infection from that side, which would not in this case because there is no script, so to say, so the user will actually execute the command and PowerShell, even with the restricted settings will allow this. There is a more restrictive or more reliable method which involves limiting the PowerShell language model itself, but that effectively blocks execution of many administrative utilities and administrative scripts which are used across a corporate environment, which might not work for many organizations. On the other hand, at least at the moment, all current kits that we have seen would copy paste a command into the clipboard and JavaScript offers only two methods at the moment, how to copy something into the clipboard that's basically Document Exec Command copy and Navigator Clipboard write text. So tracking those two commands, they might have some legitimate use cases, but I don't expect that there are a lot, at least in clips in the corporate settings. So trying to monitor for those commands in the JavaScript might be useful. But on the other hand, obviously if this becomes a reliable detection mechanism, threat actor will just stop copying scripts into the clipboard, asking users to do one more and select the commands themselves rather than putting it there. So and yeah, I totally agree with you, the ongoing security awareness training is essential here because the novelty of this attack is something which I think makes it so successful.
[17:56]
B
So given that this is a, you know, a low signature type of technique, we've already seen threat actors find great success in employing this actors across a range of different motivations. Doesn't seem like it's going to end anytime soon from what you've seen so far in its evolution throughout 2024 and into 2025 and the fact that we're already continuing to see threat actors that are evolving this technique and changing some of the slight ttps as you note, what if you had to give some sort of thoughts or predictions around where you think this activity goes? You know, I think it, you know, should we expect to see more threat actors adopting this technique? Should we expect to see a sort of continued focus around iterating some of the specific ttps within this technique? What are your thoughts around kind of where this goes throughout the rest of the year?
[18:46]
A
Right. So one thing that we haven't mentioned, but it's important to say is that even though the technique was initially used against Windows users, only some kids now utilizes bash commands or providing bash commands to Mac users which will lead usually to infostillers on the Mac side of ecosystem, some like Atomic Stealer or things like that. And that actually started later comparing so this year, but later comparing to the uptick of Windows development or development of the Windows Focused kits. So I think that will be one avenue where threat actors will potentially experiment with more platforms. I think we haven't seen a single kit for Linux so far, but that might be the next one which will come on the ones that exist already. We see already that kids become more dynamic and visually appealing which also increases trust and contributes to their success. Simultaneously, some components or central parts of SOL kids become more convoluted to increase to complicate the detection. So Cold Reaver kit, for instance, in their campaign against Ukrainians organizations, what they did, they replaced those main commands or strings which includes a command like Press Windows Keyboard key +R or press Control C and so on. They replace that text with images. Visually it looks the same for users, but from the detection perspective it was more difficult to identify it and some signatures I'm pretty sure were bypassed in this way. So I think that would continue. So central components will become more and more difficult to spot because it would be more obfuscated and convoluted. On the other side, threat actors try to get more information about their victims or targets by collecting more telemetry from the browser and user data and improving the communication. So one of the kids that we looked at with those, the ones that utilize the Cloudflare branding, started utilizing Telegram API to send information back about everything, what kit experiences for multi stage kits. Callbacks to monitoring domains were also observed at each stage now, not only at the beginning, which is also interesting. So I think that kind of serves as a feedback loop for threat actors to probably improve their tech chain in the future. So they will see, aha, it goes all the way up to this point, but for some reason stops. So how can we tweak it to, to make it better? And yeah, threat actors are definitely moving beyond Recaptcha and Cloudflare brandings and Microsoft PDF online platforms branding. So I expect more experimenting with new avenues, be it GitHub, maybe be it YouTube or something else where people do not expect something malicious to be presented to them, will be abused to deliver those commands.
[22:29]
B
Clearly the success of this will likely drive or shape future actor investments and resources into continuing to experiment with what is the most successful way to socially engineer the end user. And I think this is the fact that this seems to be a very low signature technique and that the components of this can change very rapidly as the actors evolve. This, this does make it a challenging threat to counter, but I think hopefully this podcast can be a good useful primer to organizations thinking through this problem and trying to understand where it's going. So, Dima, thank you for your time today. And this was, I think, a great exploration into the world of Qlik fix.
[23:12]
A
Thank you.
[23:12]
B
Take care.
[23:13]
A
Bye. Bye.
[23:27]
B
It.