ClickFix Attacks: The Fake CAPTCHA That Installs Malware

"Verify you are human." "Your browser needs an update to view this content." "An error occurred — follow these steps to fix it." We have trained employees to be suspicious of attachments and links. We did not train them to be suspicious of a CAPTCHA. That blind spot is exactly what makes ClickFix one of the most effective social-engineering techniques of 2026.
ClickFix flips the script on traditional malware delivery. Instead of tricking the victim into opening a malicious file, it convinces them to run the malicious command themselves — copying it from a webpage and pasting it straight into their own operating system. The result is an infection chain that leaves almost nothing for conventional security tools to catch.
How a ClickFix Attack Actually Works
The lure is a fake verification or error screen that looks completely routine. The instructions are presented as a harmless "human verification" step:
- The page tells the user to press
Win + R— which quietly opens the Windows Run dialog. - Then press
Ctrl + Vto paste. The page has already copied a hidden command to the clipboard. - Then press
Enterto "complete the check."
In those three keystrokes, the victim has executed a PowerShell or terminal command that downloads and runs the payload. Campaigns dress this up as fake CAPTCHAs, browser errors, VPN prompts, document-viewer warnings, and corporate login pages. The most common payloads are infostealers like Lumma Stealer and remote access trojans that harvest credentials, session cookies, and crypto wallets.
Why It Slips Past Your Security Stack
ClickFix is dangerous precisely because it exploits human behavior rather than a software vulnerability. In its initial stage, the attack produces no malicious file on disk and runs through legitimate, signed Windows utilities (often called LOLBins). That means static antivirus, email attachment scanners, and many EDR rules simply have nothing obvious to flag.
Attackers keep raising the bar. In a February 2026 disclosure, Microsoft documented a DNS-based variant in which the pasted command runs a DNS lookup against an attacker-controlled server, reads the response, and executes that as the second-stage payload — sidestepping URL-based blocking entirely. And the delivery surface keeps growing: in a May 2026 campaign, more than 700 legitimate websites, including universities and tech companies, were hijacked through a single SQL injection flaw (CVE-2026-26980) and turned into ClickFix delivery pages.
When the malicious page is hosted on a university or vendor domain your employees already trust, "check the URL" stops being useful advice.
The One Rule That Stops ClickFix
The good news: ClickFix has a single, teachable choke point. The attack cannot succeed unless the user manually opens a system dialog and runs a command. No legitimate website will ever ask you to do that.
Burn this rule into your team's muscle memory:
- No real website asks you to press Win+R, open PowerShell, or paste anything into a terminal or Run box. Ever. A CAPTCHA is a checkbox or an image puzzle — never a set of keyboard instructions.
- If a page gives you copy-and-paste "fix" steps, close the tab and report it.
- Be especially wary of "update your browser to continue" or "verify you are human" prompts that appear on otherwise normal sites.
How to Defend Your Organization
Pair that awareness message with layered technical and process controls:
- Restrict or monitor the Run dialog and PowerShell for standard users via group policy or application control, and alert on clipboard-to-shell execution patterns.
- Give employees a one-click way to report suspicious pages and prompts. empowsec's report-phishing add-ons for Gmail/Workspace and Outlook make reporting frictionless, so your team becomes an active sensor network.
- Run ClickFix-style simulations. Most security awareness programs still only test email links. empowsec lets you simulate the modern techniques — fake CAPTCHAs and "fix this error" lures included — and deliver an immediate teachable-moment debrief to anyone who follows the steps.
- Reinforce credential hygiene. Because the typical payload steals session tokens, phishing-resistant MFA and prompt session revocation limit the blast radius of a successful infection.
Key Takeaways
- ClickFix turns the user into the malware installer by disguising a malicious command as a CAPTCHA, browser update, or error fix.
- It evades detection because the first stage leaves no file on disk and abuses trusted Windows tools — and newer DNS variants dodge URL blocking.
- The defining defensive rule is simple: no legitimate site ever asks you to run a command. Train it, repeat it, simulate it.
- Combine awareness with PowerShell/Run restrictions, easy reporting, and phishing-resistant authentication to shrink the impact of any infection.
For a technical breakdown of the technique, Microsoft's analysis is a useful primer: Think before you ClickFix.


