Since August 2024, both state-sponsored hackers and cybercriminals have been adopting a technique called ClickFix to deploy information stealer malware, cybersecurity firm Group-IB reports.
ClickFix is a social engineering technique in which malicious JavaScript code on web pages prompts the user to perform an action that results in the delivery of a malicious payload.
Typically, the user sees a prompt instructing them to perform an update, fix an error, or verify that they are human on a fake reCAPTCHA page containing malicious code.
The malicious JavaScript code copies a command to the clipboard, and the user is instructed to open the Windows Run dialogue by pressing Win+R, paste the clipboard content using the Ctrl+V key combination, and hit Enter.
This causes the malicious command to be executed on the victim’s machine, and a malware payload to be delivered, typically an information stealer such as Lumma, XWorm RAT, VenomRAT, AsyncRAT, and others. In one instance, the final payload was the DarkGate malware.
Group-IB observed threat actors relying on phishing emails, malvertising, and spam messages on forums, social media platforms, and comment sections to direct victims to malicious websites, phishing sites mimicking legitimate services, and compromised websites hosting malicious code associated with ClickFix.
An earlier iteration of the technique was observed in October 2023, disguised as a Cloudflare anti-bot protection prompt. The broad adoption of the more mature technique called ClickFix, however, started in August 2024, and appears to have accelerated since the beginning of 2025.
Hunting for both the fake reCAPTCHA element and for the copy-to-clipboard functionality observed in these attacks, Group-IB identified multiple variants of ClickFix pages that impersonate Google reCAPTCHA, social media sites, Cloudflare bot protection, or claim issues with the user’s browser.
All variations work in a similar manner: the user is prompted to click on the ‘I’m not a robot’, ‘Fix it’, or ‘Copy Fix’ prompt, which automatically copies the malicious code to the clipboard, and then to execute the code in the Run dialog.
“The possibilities are endless, and the technique continues to evolve, finding innovative ways to deceive users. As threat actors refine their methods, we can expect even more sophisticated variants to emerge,” Group-IB notes.
The cybersecurity firm observed ClickFix attacks targeting users of websites offering free movies, games, or cracked software, GitHub users, and enterprise users. It also notes that APT groups such as Iran-linked MuddyWater and Russia-linked APT28 have been employing the ClickFix technique in their attacks.
This week, Microsoft warned of attacks against the hospitality sector in North America, Europe, Oceania, and Asia leveraging the ClickFix technique, and Cofense detailed its use in the distribution of the XWorm RAT.
Related: Homebrew macOS Users Targeted With Information Stealer Malware
Related: ‘SteelFox’ Miner and Information Stealer Bundle Emerges
Related: Threat Actors Abuse GitHub to Distribute Multiple Information Stealers
Related: Information Stealer Exploits Windows SmartScreen Bypass
