ClickFix is a social engineering trick that hackers have been using more and more since early 2024 to spread malware.
It fools you into running malicious commands on your own computer, and the attack is now more common than ever. Hackers are getting people to install password-stealing malware by making them press a series of keyboard shortcuts, all under the pretense of proving they’re not bots.
Bots are automated computer programs that perform repetitive tasks online, often mimicking human behavior. By tricking you into proving they’re not bots, hackers exploit your lack of understanding about these automated systems to make you unwittingly install malware.
As reported by KrebsOnSecurity, the latest ClickFix campaign tricks you into installing password-stealing malware under the guise of a routine “Verify You Are a Human” test. Initially seen in targeted attacks, it has now gone mainstream, affecting industries like hospitality and healthcare.
The scam begins when you visit a hacked or malicious website and see a fake CAPTCHA-style prompt. Clicking the “I’m not a robot” button triggers a set of instructions asking you to press specific keyboard shortcuts. First, you are told to press Windows + R, which opens the Windows Run dialog. Then you are instructed to press CTRL + V, which pastes a malicious script copied from the website’s virtual clipboard. If you press enter, a script is executed that downloads and runs malware.
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
Cybercriminals are using phishing emails and malicious websites to spread ClickFix. The hospitality industry has been heavily targeted, with attackers impersonating Booking.com and sending fake emails referencing guest reviews or promotions. Clicking on links in these emails directs you to a ClickFix trap. Healthcare workers have also been targeted, with malicious code embedded into the widely used physical therapy site HEP2go.
Once ClickFix is on your PC, it installs various types of malware, including password stealers like XWorm, Lumma Stealer and DanaBot, which extract your login credentials and financial information. Some versions deliver remote access trojans like VenomRAT and AsyncRAT, giving attackers full control over your system. Others deploy NetSupport RAT, a remote access tool commonly misused for cyber espionage.
THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION
Security researchers believe ClickFix has been targeting people since March 2024. I reported on the malware back in June 2024 when it posed as fake Google Chrome, Word and OneDrive errors to trick users into downloading harmful code. Just like in the current campaign, attackers prompted victims to click a button that copied a PowerShell “fix” to the clipboard, then paste and run it in a Run dialog or PowerShell prompt.
By November 2024, attackers had expanded their targets to Google Meet users. The scam started with an email containing a link to a Google Meet session, often disguised to appear as if it were from the victim’s organization. This link leads to an invite for a meeting, webinar or online collaboration. Clicking the link directed the victim to a fake Google Meet page, which displayed a warning claiming there was an issue with their PC, such as problems with their microphone, camera or headset.
The attack was also seen in fake Chrome error pages and Facebook login prompts, further spreading the malware across different platforms and increasing its reach.
OUTSMART HACKERS WHO ARE OUT TO STEAL YOUR IDENTITY
To protect yourself from the evolving threat of ClickFix malware, which continues to target users through sophisticated social engineering tactics, consider implementing these six essential security measures.
1. Be skeptical of CAPTCHA prompts: Legitimate CAPTCHA tests never require you to press Windows + R, copy commands or paste anything into PowerShell. If a website instructs you to do this, it’s likely a scam. Close the page immediately and avoid interacting with it.
2. Don’t click links from unverified emails and use strong antivirus software: Many ClickFix attacks start with phishing emails that impersonate trusted services like Booking.com or Google Meet. Always verify the sender before clicking on links. If an email seems urgent or unexpected, go directly to the company’s official website instead of clicking any links inside the email.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
3. Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password.
4. Keep devices updated: Regularly updating your operating system, browser and security software ensures you have the latest patches against known vulnerabilities. Cybercriminals exploit outdated systems, so enabling automatic updates is a simple but effective way to stay protected.
5. Monitor your accounts for suspicious activity and change your passwords: If you’ve interacted with a suspicious website, phishing email or fake login page, check your online accounts for any unusual activity. Look for unexpected login attempts, unauthorized password resets or financial transactions that you don’t recognize. If anything seems off, change your passwords immediately and report the activity to the relevant service provider. Also, consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed password managers of 2025 here.
6. Invest in personal data removal service: Consider using a service that monitors your personal information and alerts you to potential breaches or unauthorized use of your data. These services can provide early warning signs of identity theft or other malicious activities resulting from ClickFix or similar attacks. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Check out my top picks for data removal services here.
MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC
ClickFix is a reminder that malware doesn’t always rely on complex exploits. It often just needs you to follow the wrong instructions. Attackers are refining their methods, making scams like fake CAPTCHAs, phishing emails and deceptive pop-ups more convincing than ever. The best way to stay ahead is to question anything that seems even slightly off. If a website asks you to run commands or paste something into PowerShell, it’s a red flag. If an email pressures you into clicking a link, verify it first.
Do you think tech companies are doing enough to stop malware like ClickFix? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved.