ClickFix Attack.

A 2024-vintage social-engineering lure that displays a fake CAPTCHA, error dialog, or 'verify you're human' page instructing the victim to paste a pre-copied PowerShell command into Run, delivering info-stealers or loaders. 它属于网络安全的 攻击与威胁 分类。

A 2024-vintage social-engineering lure that displays a fake CAPTCHA, error dialog, or 'verify you're human' page instructing the victim to paste a pre-copied PowerShell command into Run, delivering info-stealers or loaders.

ClickFix is a social-engineering pattern that exploded in 2024 and remained one of the most common initial-access vectors in 2025–2026 stealer campaigns. The victim lands on a compromised or attacker-controlled page that mimics a CAPTCHA challenge, a Microsoft/Cloudflare verification prompt, or a 'fix the document loading error' dialog. The page silently writes a long, obfuscated PowerShell or `mshta` command to the clipboard and asks the victim to press Win+R, paste, and press Enter to 'complete verification' or 'apply the fix'. Because the user types the command themselves, no exploit, macro, or signed payload is required — endpoint controls relying on browser exploitation or office-macro telemetry miss it entirely. Documented payloads include Lumma Stealer, DarkGate, Vidar, Atomic Stealer (macOS variants), AsyncRAT, and SocGholish loaders. Defenses combine user training on never pasting commands into Run, attack-surface reduction rules blocking PowerShell/mshta launched from Explorer, and EDR telemetry on suspicious clipboard-sourced PowerShell.

针对 ClickFix Attack 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: Paste-and-run lure, Fake CAPTCHA attack。