Amid the ever-evolving cybersecurity landscape, a surge in attacks leveraging the so-called “ClickFix” technique has been documented across multiple industries worldwide since March 2024.
The method, increasingly adopted by notorious Advanced Persistent Threat (APT) groups such as APT28 (Russia) and MuddyWater (Iran), centers on sophisticated social engineering tactics that exploit unsuspecting end users through the presentation of fake error messages, CAPTCHA prompts, or urgent problem-solving instructions.
Technical Overview
ClickFix attacks typically begin with a spear phishing email, drive-by compromise, or shared malicious link through a trusted platform like GitHub.
The user is redirected to a site displaying what appears to be a routine verification or device registration prompt.
In reality, they are being baited to perform actions that ultimately result in the execution of malicious PowerShell commands.
The process commonly unfolds in three steps: opening the Windows Run dialog (Windows Key + R), pasting a PowerShell script, and executing the script.
This relatively simple method allows attackers to bypass multiple layers of technical security by manipulating the human element.
Once the malicious PowerShell command is executed, it establishes communication with a command and control (C2) infrastructure, often via previously unobserved PowerShell user agents over HTTP.
This foothold enables lateral movement, credential harvesting, and data exfiltration. Frequently deployed malware families in these campaigns include XWorm, Lumma, and AsyncRAT.
Attack Lifecycle
According to the Report,Research conducted by Darktrace Threat Research in early 2025 illustrates the sophisticated lifecycle of ClickFix campaigns:
- Initial access via social engineering is quickly followed by execution of malicious code on the endpoint.
- Malicious files often numerically named to evade detection are downloaded and executed. Analysis of these files revealed techniques such as converting system timestamps to Unix epoch format and using them as filenames (e.g.,
/1744205200), further hindering identification. - Real-time packet capture (PCAP) and HTTP stream analysis have confirmed exfiltration of system information to C2 endpoints such as
193.36.38[.]237.
- Enhanced detection models, including the monitoring of anomalous PowerShell user agents and suspicious numeric file downloads, have proven vital for early detection.
In some cases, attacker objectives included scanning for additional internal machines to propagate the attack, followed by comprehensive data exfiltration to endpoints now flagged as malicious across open-source intelligence sources.
In one observed incident, the compromised device connected to a secondary C2 server (188.34.195[.]44) and executed additional file transfers indicative of the final attack stage. Timely response remains critical.
While some environments required manual intervention to sever C2 communications and quarantine affected devices, others benefitted from Darktrace’s Autonomous Response system, which automatically blocked malicious endpoints and isolated compromised devices seconds after detection.
This automation was essential in containing attacks before attackers could achieve their final objectives.
ClickFix represents a highly effective and scalable attack vector due to its reliance on user action rather than vulnerabilities in software.
Industries heavily targeted include healthcare, hospitality, automotive, and government, with campaigns continuing to evolve and evade traditional signature-based defenses.
The identification and correlation of indicators of compromise (IoCs) are now fundamental to proactive defense strategies, while anomaly-based detection remains crucial in uncovering the early stages of such attacks.
Indicators of Compromise (IoC)
| IoC | Type | Description |
|---|---|---|
| 141.193.213[.]11 | IP address | Possible C2 Infrastructure |
| 138.199.156[.]22 | IP address | C2 Server |
| 193.36.38[.]237 | IP address | C2 Server |
| 188.34.195[.]44 | IP address | C2 Server |
| 185.250.151[.]155 | IP address | C2 Server |
| rkuagqnmnypetvf[.]top | Hostname | C2 Server |
| /1744205200 | URI | Malicious File (numeric) |
| /1.txt | URI | Malicious File |
| shorturl[.]at/UB6E6 | Hostname | Possible C2 Infrastructure |
| 34ff2f72c19143… (truncated) | SHA-256 Hash | Malicious File |
| 10a5eab3eef36… (truncated) | SHA-1 Hash | Malicious File |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/new-clickfix-technique-tricks-users/&media=https://i3.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-KnUmczA_S3fKRYpJlHiHxRudOUzNhGiLNxDr8pPydgHauzr92u4_fcm4kv9nQALuwpnzaPXQm4XsZ8Vq7s8vCnAGfMTNno8p8oxrOA5uWdbFe_nnVoip5lv_u07Vl3-fexA_l3Vf6DS00tVsQDEUkmjap-kv7ejqRMpj2e2m-gupeFw6JP1efZQZMIc/s16000/ClickFix.webp?w=1200&resize=1200,0&ssl=1&description=Amid%20the%20ever-evolving%20cybersecurity%20landscape,%20a%20surge%20in%20attacks%20leveraging%20the%20so-called%20"ClickFix"%20technique%20has%20been%20documented.){kind=link}