Key Takeaways:
- ClickFix attacks, which exploit human fallibility to execute cyber attacks, are surging and outpacing phishing and clickjacking attacks.
- These attacks represent a shift in social engineering, as victims act voluntarily, making them challenging to detect.
- Financially motivated cyber criminals are using ClickFix attacks to sell compromised endpoints to ransomware gangs.
- Defending against ClickFix attacks requires a multi-faceted approach, including URL filtering, domain reputation controls, and user awareness.
- Ransomware attacks are plateauing, but new gangs and collaborations are emerging, making it essential for organizations to stay vigilant.
Introduction to ClickFix Attacks
ClickFix attacks, also known as ClearFake attacks, are a type of cyber attack that bypasses security controls by exploiting human fallibility. These attacks convince victims to manually execute malicious commands using tools like PowerShell or Windows Run box, often by luring them to compromised websites with fake prompts. This type of attack has been surging in recent months, with a 500% increase in the first six months of 2025, according to NCC Group’s latest monthly threat report. ClickFix attacks are particularly challenging to detect because they do not rely on automated exploits or malicious attachments, but rather on the victim’s voluntary actions.
The Rise of ClickFix Attacks
The rise of ClickFix attacks represents a marked shift in social engineering tactics. Unlike phishing attacks, which deceive victims into submitting credentials, or clickjacking attacks, which trick victims into unknowingly engaging in malicious activity, ClickFix attacks rely on the victim’s voluntary actions. This makes it difficult for traditional detection models to flag these attacks, as the command originates from a trusted user process rather than an untrusted download or exploit chain. As a result, understanding and mitigating ClickFix attacks is crucial to prevent them from bypassing conventional defenses. Financially motivated cyber criminals have been quick to adopt ClickFix attacks, often operating in larger access broker ecosystems to sell compromised endpoints to ransomware gangs.
Targeted ClickFix Operations
The NCC Group’s report details several targeted ClickFix operations, including a campaign that targeted the hospitality sector and duped employees into spreading infostealer malware across multiple hotel chains. This campaign used the PureRAT remote access trojan (RAT) to steal the hotels’ Booking.com credentials and conduct downstream email and WhatsApp phishing attacks against guests. Another campaign, run by the North Korean state threat actor Kimsuky, prompted victims to copy and paste bogus authentication codes into PowerShell after posing as a US national security aide trying to set up meetings on South Korean issues. These examples illustrate the sophistication and diversity of ClickFix attacks, which can be used to achieve a range of malicious goals.
Defending Against ClickFix Attacks
Defending against ClickFix attacks requires a multi-faceted approach. Organizations can reduce their exposure to malicious lures and deceptive landing sites by incorporating tools such as URL filtering, domain reputation controls, web-filtering, and sandboxing. Tightening endpoint execution environments is also essential, as is strengthening user awareness and instructing employees to treat any unsolicited copy-paste instruction as an attempted cyber attack. By taking these steps, organizations can reduce the risk of ClickFix attacks and protect themselves against the growing threat of these attacks.
Ransomware Trends
The growth in ClickFix attacks has occurred amid a plateauing of general cyber attack volumes, with tracked ransomware hits falling 2% in November, according to NCC Group. The Qilin operation remains the most active gang observed in NCC’s telemetry, accounting for 101 attacks, followed by Cl0p with 98, Akira with 81, and INC Ransom with 49. The DragonForce gang has also emerged as a prominent player, with 19 attacks attributed to it in November. This gang’s reliance on collaboration with highly skilled affiliates, such as Scattered Spider, has enabled it to strengthen its capabilities and become a major player in the cyber criminal ecosystem.
The Evolving Cyber Threat Landscape
The cyber threat landscape is constantly evolving, with new gangs and collaborations emerging all the time. The DragonForce gang’s activity has shown how gangs can maximize their strategies to strengthen their capabilities, but it has also highlighted the competitiveness and ruthlessness of the cyber criminal ecosystem. As the festive period approaches, organizations must remain vigilant and strengthen their security posture to protect themselves against the growing threat of cyber attacks. As Matt Hull, NCC’s global head of threat intel, noted, "Business leaders cannot afford to become complacent. Threat groups are rapidly evolving, sharing tools and techniques, and already exploiting the festive period, when vigilance often drops."