Skip to main content

You visit a website, or open an email link that looks legitimate. A window appears asking you to prove you are human. It looks like the “I’m not a robot” box you have clicked hundreds of times. This one has a small twist. Instead of ticking a box, it asks you to open the Windows Run dialog, paste a line of text it has helpfully copied to your clipboard, and press enter. To confirm you are human, you are told.

You are not confirming you are human. You are running a command that installs malware on your machine, sends your saved passwords to a criminal server, and hands someone else the keys to your accounts.

This is ClickFix. Microsoft’s threat intelligence team published a detailed analysis of it in August 2025, and it is now one of the most active social engineering techniques in the wild. This piece explains what it is, how it works, and how to avoid becoming a data point in it.

Key takeaways

  • ClickFix tricks you into running commands on your own machine that install malware, by disguising the command as a routine verification step.
  • The fake “I’m not a robot” CAPTCHA is the most common lure, but there are others: fake Word crash messages, fake Chrome errors, spoofed Discord verification, fake bank login prompts.
  • Attackers rely on the fact that most people trust anything that looks like a standard security prompt.
  • If a website ever asks you to paste something into Windows Run, PowerShell, or Terminal, stop. That is the attack.
  • User training helps. The strongest single defence is technical: disable the Windows Run dialog for staff who do not need it, and block the commands attackers rely on.

What does it look like?

The scam starts on a page you did not expect to be on. It might be:

  • A search result that looked genuine but was actually a malicious advert
  • A link in a phishing email
  • A hijacked page on a website that used to be legitimate
  • A pop-up on a streaming or news site

Once you are on the page, the trick begins. The most common version is a fake CAPTCHA, styled to look identical to the Cloudflare or Google boxes we all click through daily. The wording varies but the instructions go something like this:

To verify you are human, please complete the following steps:

  1. Press Windows key + R
  2. Press Ctrl + V to paste
  3. Press Enter

Between the moment you loaded the page and the moment you press Ctrl+V, a hidden piece of code has quietly copied a command into your clipboard. When you paste and press enter, Windows dutifully runs it. The command downloads a small script from somewhere on the internet. That script downloads the actual malware. Within seconds, your machine is compromised.

Other variants use the same trick with different stories. A fake Microsoft Word error might tell you to run a “repair command.” A fake Chrome update page might ask you to paste something into Terminal to “fix the browser.” A spoofed Discord server might insist on a “verification step” before you can join. The technique is the same. Only the story around it changes.

Why does it work?

Three quiet reasons this works better than it should.

The pages look right. Microsoft’s analysis notes that many fake CAPTCHAs use real design assets, including CSS libraries from Font Awesome, to make the impersonation convincing. You cannot easily spot the fake by eye.

The instructions look reasonable. Normal computer use asks you to press key combinations all the time. The Windows Run dialog is not obscure. Copying and pasting is a routine action. Nothing individually alarms the trained instinct that scans for red flags in a phishing email.

The user does the malicious work themselves. Traditional email attachments and drive-by downloads set off warnings from antivirus, browsers, and operating systems. When the user manually pastes and executes a command, the operating system has no reason to intervene. You told it to run this. It ran it.

Microsoft’s own detection tools flagged thousands of devices per month executing ClickFix commands, even inside organisations that had modern endpoint protection deployed. That should tell you something about how well the technique bypasses standard defences.

What does it install?

Once the initial command runs, the attacker’s payload lands on the machine. The most common one Microsoft observes is Lumma Stealer, which quietly harvests saved passwords, session cookies, cryptocurrency wallets, and browser autofill data, and sends the lot to a server the criminal controls. Other campaigns install remote access tools such as Xworm, AsyncRAT, or NetSupport, which let the attacker log in to your machine as if they were you.

For businesses, this typically means:

  • Stolen employee credentials being sold on to other criminal groups
  • Access to your Microsoft 365, Google Workspace, or banking sessions before the browser session times out
  • Follow-on attacks such as business email compromise or ransomware, where the stolen access is the foothold for something worse

The technique also targets macOS. The Atomic macOS Stealer works the same way, dropped by a similar trick that asks the user for their system password to “authorise” the fake fix.

Who is doing this?

Microsoft tracks multiple threat groups running ClickFix campaigns, including ones it labels Storm-1607, Storm-0426, and Storm-0249. Some target specific countries: a May 2025 Lampion campaign hit the Portuguese government, finance, and transportation sectors. A March 2025 campaign targeted Germany.

The technique is not exclusive to sophisticated groups. Ready-made ClickFix kits are sold on criminal marketplaces for between $200 and $1,500 a month. They come with configurable templates, multiple language versions, and evasion features. A moderately skilled criminal can rent the infrastructure, point it at a target, and run a campaign without writing any of the code themselves.

This is the same pattern we described in our earlier piece on AI lowering the barrier to entry for cybercrime. Different technique, same trend: attack quality that used to require an experienced operator is now packaged and rented by the month.

How to protect yourself

For individual users, the guidance is short and worth taking seriously.

If a website ever asks you to paste something into Windows Run, PowerShell, Terminal, or a command prompt, stop. No legitimate CAPTCHA or verification step ever requires that. No legitimate error message ever asks it. No genuine “fix” tells you to run a command from a webpage. If you see this instruction anywhere, it is the attack.

Close the tab. Do not paste. Do not press enter. If you already have, treat your machine as compromised: disconnect from the network, change your passwords from a different device, and get IT involved.

For organisations, the technical controls Microsoft recommends are the ones with the largest impact:

  • Disable the Windows Run dialog for staff who do not need it. Most office roles do not use Win+R day to day. Removing it removes the primary vector.
  • Block PowerShell and Terminal execution from the Run dialog using AppControl or attack surface reduction rules.
  • Turn on PowerShell script block logging so security teams can hunt for suspicious command lines after the fact.
  • Warn users before they paste multi-line commands into Windows Terminal, a built-in setting.
  • Enable web protection and SmartScreen in browsers so malicious landing pages are blocked earlier.

None of that is exotic or expensive. Most of it is already available in the Microsoft 365 licences your organisation is already paying for.

What awareness training should now say

Traditional phishing training focuses on spotting bad emails: check the sender, hover over links, look for typos, do not open attachments from strangers. That advice is still correct. It is also incomplete.

Updated training should include:

  • Do not paste commands you did not write into Windows Run, PowerShell, or Terminal, regardless of what the webpage claims.
  • No verification step needs your Windows Run dialog. Ever.
  • If a “fix” or “update” appears out of nowhere and asks you to do something on your keyboard, treat it as a scam by default.

The reframing worth adopting is the same one we made in our article on AI-augmented cybercrime: expect the perfect phishing page. Expect the fake CAPTCHA to look identical to the real one. Train for verification behaviour, not for spotting typos.

Where this sits in the compliance picture

For ISO 27001 programmes, ClickFix touches Annex A.6.3 (security awareness training) and A.8.8 (management of technical vulnerabilities). Awareness training content should be reviewed against current techniques. Endpoint hardening and Group Policy configurations should reflect the current threat picture, not the 2020 one.

For NIS2, Article 21’s minimum measures include “basic cyber hygiene practices and cybersecurity training.” That obligation is not satisfied by a training course that still teaches staff to look for typos in phishing emails.

Closing

ClickFix is not clever technology. It is a good story wrapped around a bad instruction. That is why it works, and why the defences that matter most are half-technical (block the specific vectors) and half-behavioural (train the specific instinct).

If a webpage ever asks you to paste something into Windows Run, close the tab. That is the whole rule.

If you want to review your organisation’s exposure to techniques like this, or update your awareness programme against current threats, get in touch.

Common questions

What is ClickFix in one sentence?
ClickFix is a scam that shows a fake verification prompt (usually disguised as a CAPTCHA, a browser error, or an app crash message) and tricks you into pasting a command into Windows Run, PowerShell, or Terminal that installs malware on your own machine.
How do I know if I've been affected?
If you pasted anything into Windows Run, PowerShell, or Terminal from a webpage, assume you have been. Signs include unexpected browser behaviour, unfamiliar sign-in alerts on your accounts, or antivirus warnings. Disconnect the device from the network, change your passwords from a separate device, and get IT involved. Do not just run an antivirus scan and assume it caught everything.
Does antivirus protect against this?
Partially. Modern endpoint protection catches many ClickFix payloads but not all. Microsoft's own analysis reports that thousands of devices per month execute ClickFix commands even where endpoint detection is deployed. The most reliable protection is preventing the paste step in the first place, either through user behaviour or by disabling the Run dialog for accounts that do not need it.
Is this only a Windows problem?
No. The same technique is used against macOS users, dropping payloads such as Atomic macOS Stealer. The macOS variant typically asks the user to run a command in Terminal and enter their system password.
Are we too small to be a target?
No. ClickFix campaigns are largely untargeted at the individual level. Attackers rent the infrastructure and cast a wide net through malicious adverts, phishing emails, and compromised websites. Small and medium organisations are affected as often as large ones, and the follow-on damage (business email compromise, ransomware, fraudulent payments) hits smaller organisations harder because they have less resilience to absorb it.

Ready to discuss your requirements?

Let's have a conversation about how we can help your organisation.

Let's talk