ClickFix Attack.

A 2024-vintage social-engineering lure that displays a fake CAPTCHA, error dialog, or 'verify you're human' page instructing the victim to paste a pre-copied PowerShell command into Run, delivering info-stealers or loaders. Es gehört zur Kategorie Angriffe und Bedrohungen der Cybersicherheit.

A 2024-vintage social-engineering lure that displays a fake CAPTCHA, error dialog, or 'verify you're human' page instructing the victim to paste a pre-copied PowerShell command into Run, delivering info-stealers or loaders.

ClickFix is a social-engineering pattern that exploded in 2024 and remained one of the most common initial-access vectors in 2025–2026 stealer campaigns. The victim lands on a compromised or attacker-controlled page that mimics a CAPTCHA challenge, a Microsoft/Cloudflare verification prompt, or a 'fix the document loading error' dialog. The page silently writes a long, obfuscated PowerShell or `mshta` command to the clipboard and asks the victim to press Win+R, paste, and press Enter to 'complete verification' or 'apply the fix'. Because the user types the command themselves, no exploit, macro, or signed payload is required — endpoint controls relying on browser exploitation or office-macro telemetry miss it entirely. Documented payloads include Lumma Stealer, DarkGate, Vidar, Atomic Stealer (macOS variants), AsyncRAT, and SocGholish loaders. Defenses combine user training on never pasting commands into Run, attack-surface reduction rules blocking PowerShell/mshta launched from Explorer, and EDR telemetry on suspicious clipboard-sourced PowerShell.

Schutzmaßnahmen gegen ClickFix Attack kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: Paste-and-run lure, Fake CAPTCHA attack.