Security Awareness Training

Think Before You Click(Fix)

A social engineering technique is spreading fast—and it works by turning you into the attack tool. This training covers exactly how ClickFix works, what to watch for, and how to protect yourself and your organization.

517%
Surge in ClickFix attacks in 2025
#1
Initial access method observed by Microsoft in 2025
47%
Of observed attacks used ClickFix for initial access

Local government and small business are primary targets

In August 2025, an Interlock ransomware attack using ClickFix struck a U.S. state and local government victim. Government employees, municipal staff, and small business workers are actively targeted because attackers know these organizations often have smaller security teams.

Training time: Approximately 15–20 minutes
Includes: Interactive demonstration, real-world scenarios, and a scored knowledge assessment

Module 1

What Is ClickFix?

ClickFix is a social engineering technique where attackers display a fake error message, CAPTCHA, or verification prompt on a webpage, then trick you into copying and running a malicious command on your own computer.

Why it differs from traditional attacks

Unlike malware that runs automatically, ClickFix makes you execute the attack yourself. Because you manually run the command, many security tools don't flag it—the system thinks it's a normal action by a trusted user.

The Disguise

Attackers create convincing fake prompts that look like Google reCAPTCHA, Windows error dialogs, browser update notices, or document verification screens.

The Clipboard Hijack

When you interact with the fake prompt, hidden JavaScript silently copies a malicious command to your clipboard without your knowledge.

The Trick

You're instructed to press specific keyboard shortcuts (Win+R Ctrl+V Enter) as "verification steps"—but this actually runs the malicious command.

What happens if you fall for it?

Once the command runs, attackers can:

  • Install info-stealing malware that harvests your passwords, banking credentials, and personal data
  • Deploy ransomware that encrypts all your files and demands payment
  • Install remote access trojans that give attackers full control of your computer
  • Use your computer as a launching point to attack the rest of your organization's network
  • Steal sensitive government records, financial data, or constituent information
Module 2

The Attack Chain

Understanding exactly how this attack unfolds is your best defense.

1

The Bait

You arrive at a malicious webpage through a phishing email, a compromised legitimate website, a search engine result, or a malicious online ad. The page looks professional and familiar.

2

The Fake Prompt

A dialog box appears—a CAPTCHA, a "document verification," a browser error, or a security warning. It looks like something you've seen hundreds of times. You click the checkbox or button.

3

The Silent Clipboard Hijack

The moment you interact with the prompt, hidden code copies a malicious PowerShell or system command to your clipboard. You see nothing—this is completely invisible.

4

The Instructions

"To complete verification," the page tells you to press Win+R to open the Run dialog, then Ctrl+V to paste, then Enter. These are presented as "verification steps."

5

The Compromise

The malicious command executes, typically launching a hidden PowerShell window that downloads and installs malware. Because you ran it, it runs with your user permissions and often bypasses security tools.

Why security tools often miss it

When you press Win+R, the command runs under Explorer.exe—your normal Windows process. Security tools see this as a legitimate user action. The payload often runs entirely in memory, leaving no files on disk for antivirus to scan.

Module 3

Interactive Demonstration

Below is a safe simulation of what a ClickFix attack looks like. Click the checkbox to see how the deception unfolds. No actual malicious code is involved.

https://verify-captcha-check.com/human-test
Verify you are human
I'm not a robot
reCAPTCHA • Privacy • Terms

Verification Steps:

1
Press Windows + R to open the Run dialog
2
Press Ctrl + V to paste the verification code
3
Press Enter to complete verification
Click the checkbox above to see the attack unfold
Module 4

Common Lure Types

Attackers use many different disguises. Here are the most common ones you may encounter:

Fake CAPTCHA / "Verify You Are Human"

Most common variant. A page displays what looks like a standard Google reCAPTCHA or Cloudflare verification. After clicking "I'm not a robot," you're shown "additional verification steps" that instruct you to run system commands.

How to spot it

Real CAPTCHAs ask you to identify objects in images, solve puzzles, or simply click a box. They never ask you to open the Run dialog, Terminal, or paste anything into your operating system.

Fake Error Messages / "Fix This Problem"

A page shows a convincing browser or system error—perhaps "Your browser encountered an error" or "This page cannot be displayed correctly." A "Fix" button copies a malicious command to your clipboard and tells you to run it.

How to spot it

Legitimate browser errors never ask you to run commands. If a webpage tells you to open the Run dialog or Terminal to fix a display issue, it is an attack. Close the tab immediately.

Fake Browser or Software Updates

A popup claims your browser or a plugin is out of date and needs updating to view content. The "update" process involves pasting a command rather than downloading an installer.

How to spot it

Browser updates happen through the browser's built-in settings, not through website popups. Never run commands provided by a website claiming to update your software.

Fake Document or File Access

You receive an email with a link to an "important document"—a shared report, invoice, or policy update. The page says you must complete a verification step before viewing the document.

How to spot it

Real document sharing services (Google Docs, SharePoint, etc.) may require you to log in, but never ask you to run commands on your computer. Verify the sender and URL before interacting.

Fake Meeting Invites and Collaboration

Used by nation-state actors (notably North Korean group Kimsuky): you receive a meeting invitation or collaboration request. The link leads to a page requiring "verification" before joining, which triggers the ClickFix attack.

How to spot it

Video conferencing tools like Zoom, Teams, and Google Meet never require you to run system commands to join a call. Be especially suspicious of unexpected invitations from unknown senders.

macOS-Targeted Attacks

Since June 2025, ClickFix has expanded to target Mac users. Instead of the Windows Run dialog, victims are instructed to open Terminal and paste a command. These campaigns deliver macOS-specific malware like Atomic Stealer (AMOS).

How to spot it

The same rule applies: no legitimate website will ever ask you to open Terminal and paste a command. Mac users are not immune to this attack.

Module 5

Who Is Behind These Attacks?

ClickFix is not limited to common cybercriminals. Nation-state intelligence agencies from multiple countries have adopted this technique for espionage operations.

RU
APT28 (Fancy Bear)
Also known as: TA422 • Forest Blizzard

Russian military intelligence (GRU). Targets government and defense organizations. Previously responsible for the 2016 DNC breach.

KP
Kimsuky (TA427)
Also known as: Velvet Chollima • Emerald Sleet

North Korean intelligence. Uses fake meeting invitations and think-tank impersonation. Targets policy analysts and government officials.

IR
MuddyWater (TA450)
Also known as: Mercury • Mango Sandstorm

Iranian state-sponsored group. Targets Middle Eastern government and defense. Incorporates ClickFix into phishing campaigns.

$$
Cybercriminal Groups
Multiple independent actors

The majority of ClickFix attacks are financially motivated, delivering ransomware, info-stealers (Lumma, StealC), and banking trojans.

Timeline: The Rise of ClickFix

Q1
March 2024

ClickFix first observed by Proofpoint researchers. Initial campaigns target Windows users with fake error messages.

Q4
Late 2024

Technique explodes in popularity. Nation-state groups from Russia, North Korea, and Iran begin adopting ClickFix for espionage.

Q1
Early 2025

Attacks surge 517%. ClickFix becomes the #1 initial access method. Targeted campaigns hit government, finance, education, healthcare, and transportation globally.

Q2
June 2025

ClickFix expands to macOS. "FileFix" variant emerges, shifting from the Run dialog to File Explorer. Attacks spread to Portugal, Switzerland, France, Hungary, Mexico.

Q3
August 2025

Interlock ransomware hits U.S. state/local government via ClickFix. Microsoft publishes major threat intelligence report. "CrashFix" variant uses malicious Chrome extensions.

Q1
February 2026

DNS-based ClickFix variant discovered, using nslookup commands to stage payloads. Attacks continue to evolve.

Module 6

Real-World Scenarios

Review each scenario and decide: is this a ClickFix attack, or is it safe? Choose your answer to reveal the explanation.

Scenario 1: The Morning Email

You are a payroll clerk at City Hall. Monday morning, this email arrives in your inbox:

Inbox
From: Benefits Administration <noreply@beneflts-admin-portal.com>
To: You
Date: Mon, Mar 2, 2026 8:14 AM
Action Required: Updated W-2 Forms Available

Dear Employee,

Your updated W-2 tax forms for the 2025 tax year are now available. Due to a recent correction, please review your updated documents as soon as possible.

View Your Updated W-2 Forms

You may be asked to verify your identity before accessing your documents. This is a standard security measure.

Benefits Administration | Do not reply to this email

You click the link. The page that opens looks like this:

https://beneflts-admin-portal.com/verify-identity
Verify you are human
I'm not a robot
Verification Steps:
1. Press Windows + R
2. Press Ctrl + V
3. Press Enter
reCAPTCHA • Privacy • Terms

This is a ClickFix attack.

The sender domain is beneflts-admin-portal.com (note the letter "l" replacing "i" in "benefits"). The link leads to a fake site where the "CAPTCHA" placed a malicious command on your clipboard. Following those steps would execute malware that could steal payroll data, employee SSNs, and banking information. Close the tab, do not follow the steps, and report it to IT immediately.

Scenario 2: The Broken PDF

You manage permits for a small county office. A contractor emails a link to their updated insurance certificate. When you click it, this page appears:

https://docs-viewer-secure.net/certificate_2026.pdf
Your browser cannot display this PDF.
A required plugin is missing or out of date.
Fix Display Issue
Clicking "Fix" will copy the repair command to your clipboard.

After clicking "Fix Display Issue," a popup instructs you to open the Run dialog and paste a "browser repair command."

This is a ClickFix attack.

The URL docs-viewer-secure.net is not a real document hosting service. Browser display issues are never fixed by pasting commands into the Run dialog. The contractor's email was likely spoofed or their account was compromised. Contact the contractor through a known phone number to verify, and report the email to IT.

Scenario 3: The Search Result

You are an office manager at a small accounting firm. You search Google for a free PDF converter and see these results:

https://www.google.com/search?q=free+pdf+converter+download
🔎︎ free pdf converter download
Sponsoredwww.free-pdf-tools-download.com
Free PDF Converter - Download Instantly - No Signup Required
Convert PDF to Word, Excel, and more. 100% free, no registration. Download now and start converting files in seconds.
www.adobe.com/acrobat/pdf-converter
Adobe Acrobat PDF Converter | Official Site
Convert, edit, and sign PDFs online with Adobe Acrobat. Free trial available for all conversion tools.

You click the first (sponsored) result. The page asks you to verify you are human with a CAPTCHA. After clicking the checkbox, "verification steps" appear asking you to press keyboard shortcuts.

This is a ClickFix attack.

Attackers purchase sponsored search ads to get malicious sites to appear above legitimate results. The domain free-pdf-tools-download.com is not a known software vendor. The CAPTCHA with keyboard shortcut instructions is a ClickFix lure. Close the tab. Only download software from official vendor websites or through IT-approved channels. Be especially cautious with sponsored search results.

Scenario 4: The Legitimate CAPTCHA

You are logging into your organization's webmail system. This CAPTCHA screen appears:

https://mail.yourcounty.gov/login
County Web Portal — Sign In
Select all images with traffic lights
🏘︎
🚦︎
🚗︎
🚦︎
🌳︎
🏠︎
🚌︎
🚦︎
🚶︎
Verify

You click on the correct images and press "Verify." The page proceeds to your inbox normally. No keyboard shortcuts or pasting were required.

This is a legitimate CAPTCHA.

The URL is on your organization's official domain (mail.yourcounty.gov). The CAPTCHA asks you to identify objects in images—a standard verification method. It did not ask you to open the Run dialog, Terminal, or paste any commands. This is safe to complete.

Module 7

Your Defense Playbook

The Golden Rule

No legitimate website will ever ask you to open the Run dialog, Terminal, or Command Prompt and paste something.

If any webpage instructs you to press Win+R, open Terminal, or paste commands into your operating system—it is an attack. No exceptions.

Red flags to watch for

  • Any "CAPTCHA" or "verification" that asks you to use keyboard shortcuts or system commands
  • Webpages that instruct you to press Win+R, open PowerShell, Terminal, or Command Prompt
  • Pages asking you to paste content from your clipboard into system dialogs
  • "Fix" or "Update" buttons that require running commands rather than downloading an installer
  • Unfamiliar or suspicious URLs that don't match the brand being displayed
  • Urgent language designed to make you act quickly without thinking
  • Error messages on websites that offer "quick fixes" involving system commands

If you encounter a suspected ClickFix attack

  • STOP—Do not follow the instructions. Do not press any keyboard shortcuts.
  • CLOSE—Close the browser tab or window immediately.
  • CLEAR—Clear your clipboard (copy a harmless word like "safe" to overwrite whatever was placed there).
  • REPORT—Contact your IT department or help desk immediately. Include the URL if possible.
  • DOCUMENT—Take a screenshot if you can do so safely before closing.

If you already followed the steps

Act immediately—time matters

  1. Disconnect your computer from the network (unplug Ethernet or disable Wi-Fi)
  2. Do not shut down the computer—this may destroy forensic evidence
  3. Call your IT department or security team immediately—do not email, as your email may be compromised
  4. Change your passwords from a different, clean device (phone or another computer)
  5. Note the time when you executed the command, so the security team can review logs

For IT administrators and managers

Restrict PowerShell

Set execution policy to "AllSigned" or "Restricted." Consider blocking PowerShell for users who don't need it. Use AppLocker or WDAC to control script execution.

Enforce Least Privilege

Ensure employees operate with standard user accounts, not admin. This limits the damage if a ClickFix payload executes.

Monitor for Indicators

Watch for PowerShell launched from Explorer.exe, mshta.exe execution, and suspicious DNS lookups (nslookup to unknown domains).

Email and Web Filtering

Deploy email security that analyzes links in messages. Use web filtering to block known malicious domains. Enable fake CAPTCHA detection signatures.

Knowledge Assessment

Test Your Knowledge

Answer all 8 questions to complete your training. You need at least 6 correct answers (75%) to pass.

1 What is the primary trick behind a ClickFix attack?

AIt exploits a software vulnerability in your browser to install malware automatically
BIt tricks you into manually copying and running a malicious command on your own computer
CIt sends you a malicious email attachment that infects your computer when opened
DIt guesses your password through brute force

2 A website shows a CAPTCHA, and after clicking "I'm not a robot," it tells you to press Win+R, then Ctrl+V, then Enter. What should you do?

AFollow the instructions—CAPTCHAs sometimes require extra verification steps
BTry a different browser and come back to the same page
CClose the tab immediately, clear your clipboard, and report it to IT
DRestart your computer and try again

3 Why do many security tools fail to detect ClickFix attacks?

AThe malware uses advanced encryption that no tool can break
BBecause the user runs the command themselves, the system sees it as a normal, legitimate action
CClickFix only targets computers that don't have antivirus installed
DSecurity tools can always detect ClickFix—they just don't block it

4 Which of these is a real CAPTCHA that is safe to interact with?

AA checkbox that, after clicking, asks you to open Terminal and paste a command
BA challenge asking you to select all images that contain crosswalks
CA verification that copies a "security code" to your clipboard for you to paste into the Run dialog
DA prompt asking you to run PowerShell as administrator to verify your identity

5 You accidentally followed the ClickFix instructions and ran the command. What is the first thing you should do?

AShut down your computer immediately to stop the malware
BRun a virus scan and continue working normally
CDisconnect from the network immediately and call your IT department
DChange your password on the same computer and keep working

6 Which types of organizations are being targeted by ClickFix attacks?

AOnly large Fortune 500 companies with valuable trade secrets
BOnly banks and financial institutions
COnly federal government agencies
DAll organizations including local government, small businesses, healthcare, education, and more

7 Are Mac users safe from ClickFix attacks?

AYes—ClickFix only works on Windows computers
BNo—ClickFix has been adapted to target macOS users through Terminal commands
CYes—macOS has built-in protection against all social engineering attacks
DIt depends on which version of macOS you are running

8 What is the single most important rule to remember about ClickFix?

AAlways keep your antivirus updated and it will protect you
BOnly visit HTTPS websites to stay safe
CNo legitimate website will ever ask you to open the Run dialog, Terminal, or paste commands into your operating system
DAvoid clicking any CAPTCHAs on any website
Training Complete

Certificate of Completion

Circle 6 Systems
ClickFix Security Awareness
Certificate of Completion

This certifies that

Your Name

has successfully completed the ClickFix Social Engineering
Awareness Training with a score of --.

Quick Reference Card

Save or print this as a desk reference.

THE RULE: No legitimate website will ever ask you to open the Run dialog, Terminal, or Command Prompt and paste something. If one does, it is always an attack.
SPOT IT: Fake CAPTCHAs with "verification steps" involving keyboard shortcuts • Error messages offering "quick fixes" via commands • Software updates requiring pasting into Run/Terminal • Suspicious URLs that don't match the brand shown
DO THIS: STOP → CLOSE the tab → CLEAR your clipboard → REPORT to IT → DOCUMENT with a screenshot if safe to do so
IF COMPROMISED: Disconnect from network immediately → Do NOT shut down → Call IT (don't email) → Change passwords from a different device → Note the exact time
REPORT TO: Your IT department or help desk • Your organization's security team • CISA: report@cisa.gov • FBI IC3: ic3.gov

Developed using threat intelligence from Microsoft, Proofpoint, CIS, Unit 42, and other leading cybersecurity organizations.

Sources: Microsoft Security BlogProofpointCISUnit 42HHS

© 2026 Circle 6 Systems. All rights reserved.  |  contact@circle6systems.com