ClickFix Attack.

A 2024-vintage social-engineering lure that displays a fake CAPTCHA, error dialog, or 'verify you're human' page instructing the victim to paste a pre-copied PowerShell command into Run, delivering info-stealers or loaders. It belongs to the Attacks & Threats category of cybersecurity.

A 2024-vintage social-engineering lure that displays a fake CAPTCHA, error dialog, or 'verify you're human' page instructing the victim to paste a pre-copied PowerShell command into Run, delivering info-stealers or loaders.

ClickFix is a social-engineering pattern that exploded in 2024 and remained one of the most common initial-access vectors in 2025–2026 stealer campaigns. The victim lands on a compromised or attacker-controlled page that mimics a CAPTCHA challenge, a Microsoft/Cloudflare verification prompt, or a 'fix the document loading error' dialog. The page silently writes a long, obfuscated PowerShell or `mshta` command to the clipboard and asks the victim to press Win+R, paste, and press Enter to 'complete verification' or 'apply the fix'. Because the user types the command themselves, no exploit, macro, or signed payload is required — endpoint controls relying on browser exploitation or office-macro telemetry miss it entirely. Documented payloads include Lumma Stealer, DarkGate, Vidar, Atomic Stealer (macOS variants), AsyncRAT, and SocGholish loaders. Defenses combine user training on never pasting commands into Run, attack-surface reduction rules blocking PowerShell/mshta launched from Explorer, and EDR telemetry on suspicious clipboard-sourced PowerShell.

Defences for ClickFix Attack typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Paste-and-run lure, Fake CAPTCHA attack.