"Rather than relying on automated exploits or malicious attachments, ClickFix attacks exploit human fallibility by convincing their targets to manually execute attacks using tools like PowerShell, Windows Run box, or other shell utilities after luring them to compromised websites promising fake prompts that instruct them to copy a command into their Run dialogue or PowerShell window. NCC said such attacks represent a marked shift in social engineering because the victims are acting entirely voluntarily -"
""This shift challenges traditional detection models as the command originates from a trusted user process, rather than an untrusted download or exploit chain," wrote the NCC team. "Understanding and mitigating ClickFix attacks is crucial because it can bypass conventional defences," they said. "Email filters, sandboxing and automated URL analysers cannot always flag a malicious action that is conducted manually by an end user. Once the payload is executed, attackers can deploy RATs, enabling persistence, credential harvesting and eventual ransomware deployment.""
NCC Group observed ClickFix attacks surge over 500% in the first half of 2025 and outpace phishing and clickjacking by late 2025. ClickFix lures victims to compromised websites that show fake prompts instructing them to copy commands into PowerShell, the Windows Run box, or other shells, causing users to execute payloads manually. The technique shifts social engineering because the malicious command originates from trusted user processes, evading conventional controls like email filters, sandboxing and URL analysers. Once executed, attackers can install RATs for persistence, harvest credentials and stage ransomware; access brokers sell compromised endpoints to ransomware gangs.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]