Decoding ‘ClickFix’: Lessons from the Latest Browser-Based Phish

ClickFix is a social engineering attack that tricks users into running malicious commands on their own devices – all under the guise of a routine security check. Disguised as something familiar, like a Cloudflare CAPTCHA, it convinces users to copy and paste dangerous code without realizing the risk. We’ll break down how ClickFix works, examine a real-world example, and explore why this surprisingly simple tactic remains effective.

How ClickFix Works

ClickFix is a phishing technique that poses as a bogus verification step (often a fake CAPTCHA or “I am not a robot” page) and instructs users to paste and run code as part of the process. Instead of prompting a file download like traditional phishing, ClickFix pages present what looks like a legitimate security check. 

For example, attackers have cloned the Cloudflare Turnstile interface. Turnstile is Cloudflare’s CAPTCHA alternative that checks if a user is human; it often appears when accessing a protected website. When a victim visits a malicious or compromised site, they see a message “Checking if the site connection is secure – Verify you are human” just as they would on a real Cloudflare page. 

The page includes official Cloudflare branding, wording, and even a dynamically generated “Ray ID” (a unique identifier Cloudflare assigns to each visitor request) to appear authentic.

Figure 1: The fake Cloudflare page shown at the start of the attack

 

When the user checks the “Verify you are human” box on this deceptive page, the attack moves to its next phase. Instead of simply unlocking the site, the page presents additional instructions (often labeled as “Verification steps”). A pop-up or on-page message will direct the user through a sequence of key presses. Typically, it says something like:

  1. Press ⊞ Win+R – This opens the Windows “Run” dialog box. (At this point, the page has already used a script to copy a hidden command to your clipboard.)
  2. Press Ctrl+V – This pastes whatever text is in your clipboard into the Run box.
  3. Press Enter – This executes the pasted command.

Unbeknownst to the user, the page has already placed a malicious command into their clipboard behind the scenes. So when they follow these steps, they end up executing malware on their own machine. 

In an example we found, after the user clicked the fake Turnstile checkbox, a prompt guided them to press Windows+R and then Ctrl+V – which pasted a hidden PowerShell command – and finally, hitting Enter launched that command. The user believes they are simply proving their humanity to access the site, but in reality, they have just kicked off a malware installation.

Figure 2: The step-by-step instructions that trick users into executing malware

Behind the scenes, the ClickFix page is orchestrating the attack via the clipboard. The malicious webpage’s script, triggered by the user’s click on the checkbox or button, creates a hidden text element containing an obfuscated PowerShell command and automatically copies it to the user’s clipboard. This is done with web APIs and leaves no visible trace on the page. 

By the time the user sees the “verification steps” instructions, the dangerous payload is already sitting in their clipboard, waiting to be pasted. The moment the user hits Ctrl+V in the Run dialog, that embedded PowerShell code appears – often a one-liner that pulls down and executes a second-stage malware. In effect, the victim themselves executes the initial dropper, enabling the attacker to bypass normal download prompts or antivirus scanning of an EXE file.

Now that we’ve seen how the attack manipulates the user, let’s take a closer look at how the malicious webpage is built and functions under the hood.

Inside a ClickFix Attack Page

The version of ClickFix we observed was delivered as a single, self-contained HTML file that replicates the Cloudflare Turnstile page. All the necessary images, styles, and scripts are embedded locally (with no third-party resources loaded), making the fake page load easily on the attacker’s chosen domain. 

The HTML is often heavily obfuscated to hide its malicious content. This obfuscation conceals the malicious script logic that handles the clipboard injection (silently overwrites any copied text with attacker-chosen code in your clipboard) and any payload code. The phishing page automatically inserts the target domain name and a fake Ray ID number into the content so that each visit appears unique and legitimate – for example, showing the user’s actual domain (or a convincing clone domain) and a random-looking Cloudflare Ray ID string. These details reinforce the illusion that the page is a genuine Cloudflare checkpoint rather than an attacker’s trap.

The payload itself is typically a PowerShell command or similar script code, chosen because it can fetch and run malware with a single line. The ClickFix page stores this command (often Base64-encoded or otherwise obfuscated) and uses scripting to copy it to the clipboard without user consent. Notably, because the user is ultimately executing a legitimate Windows system utility (like powershell.exe or mshta.exe) with a snippet of code, traditional web security filters are bypassed.

Figure 3: A hidden PowerShell command copied to the clipboard

An immediate technical advantage for the attacker is that the end-user is running a command rather than a binary. This means antivirus products and endpoint protections that scrutinize new executable files might not catch the attack at the point of delivery. The malicious PowerShell command can be structured to retrieve the actual malware (for instance, a DLL, EXE, or script) from a remote server and execute it in memory. Campaigns using ClickFix have delivered a variety of payloads in this manner – from info-stealing malware like Lumma and Stealc to full remote access trojans (RATs), which let attackers take control of a victim’s system like NetSupport Manager.

Even though ClickFix doesn’t rely on sophisticated exploits, it’s still remarkably successful. Here’s why this low-tech deception works, and keeps working.

Why This Simple Trick Remains Effective

It may seem surprising that such a low-tech trick – essentially telling users to run a command – is successfully compromising systems, but several factors explain its efficacy. Human nature and habitual behavior are key. 

Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible. Attackers exploit this “verification fatigue”, knowing that many users will comply with whatever steps are presented if it looks routine. 

In the context of a familiar-looking Cloudflare page, a user often assumes these extra steps are normal, especially if they’re in a hurry to reach some content. The instructions to press Win+R and Ctrl+V may raise an eyebrow for tech-savvy people, but an average user – seeing official logos and not understanding the implications – can be socially engineered into treating it as an advanced CAPTCHA. 

Deceptive design and trust in visual cues also play a major role. The fake Turnstile pages are crafted to be pixel-perfect copies of legitimate Cloudflare pages, down to the domain being checked and the unique Ray ID footer. Users generally trust these intermediary pages since Cloudflare is a known security provider. 

Often, the phishing page is served from a URL that isn’t obviously malicious at first glance – it could be a close typo of a real domain (e.g. notionbox.org instead of notion.com), or an otherwise legitimate but compromised site. In some cases, real websites have been hacked to inject ClickFix scripts, meaning the user might see a URL they recognize and still be faced with this “Cloudflare verification”. This undermines the usual advice of checking the address bar for legitimacy. 

The absence of immediate red flags (no downloads, the padlock icon present, a familiar CAPTCHA interface) lulls users into a false sense of security. The attack leverages user trust in browser security measures – people assume that if something were wrong, the browser or security tools would alert them, not ask them to do something. But here, the very action that normally might seem odd (pasting a command) is framed as a security requirement, turning the user’s caution against them.

Considering how persuasive ClickFix attacks can be and how effortlessly they can be initiated, taking proactive measures is important. Here’s how SlashNext helps protect against these threats.

Stop ClickFix Before It Tricks Your Users

Attacks like ClickFix are evolving fast – too fast for traditional filters to keep up. SlashNext’s AI-powered defenses can spot these tricks in real time, including the fake Cloudflare prompts and clipboard injections. SlashNext Browser and Messaging Security spots the fake Cloudflare screen, the hidden clipboard payload, everything, and blocks the attack before anyone can press Win + R. 

With SlashNext, you get:

  1. Zero-hour protection for email, browsers, mobile, and collaboration apps.
  2. AI that detects new social-engineering tactics like ClickFix without signatures.
  3. A cloud-native deployment in minutes, no changes to your current stack.

See it in action and request a live demo at SlashNext.com.

Blog Subscription

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.