TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

ClickFix Attack: Variants, Detection & How It Works | Huntress

2025-09-29 · Read original ↗

ATT&CK techniques detected

17 predictions
T1059.001PowerShell
99%
“carried out through only one powershell process. this is because the user is manually opening powershell to paste in the attacker - supplied command. interactive powershell produces very little telemetry since this payload is not leveraging other applications to carry out executi…”
T1204.004Malicious Copy and Paste
96%
“and it teams. clickfix initial compromise threat actors who utilize clickfix will stage a malicious website with clipboard functionality to hijack the clipboard of the victim user. threat actors have also adopted the use of fake cloudflare interstitials. over the years, phishkits…”
T1059.001PowerShell
94%
“cmd. exe execution. this is followed by a curl. exe process executing to retrieve and execute a secondary payload. figure 18 : clickfix process chain additionally, explorer. exe also generates some registry artifacts. within the runmru key, we can see the whole conhost. exe comma…”
T1204.004Malicious Copy and Paste
93%
“clickfix attack : variants, detection & how it works | huntress executive summary since the inception of clickfix last year, this malicious copy - and - paste technique has become an initial access vector of choice for threat actors looking to exploit the human psyche, evade defe…”
T1204.002Malicious File
92%
“crdownload to mimic a failed download in google chrome. next, an iframe is used to trigger a download on the same page, and after a small two - second delay, the “ download interrupted " page is presented. figure 15 : code snippet of downloadfix simulating a fake download the lur…”
T1204.004Malicious Copy and Paste
90%
“variants over time? it ’ s impossible to detect each new technique, but we can start to think about chokepoints when devising a detection strategy. chokepoints are derived from military strategy, where you would force an enemy into a narrow passage, where they must travel through…”
T1204.004Malicious Copy and Paste
88%
“##x is another iteration of the clickfix technique. this version also employs the same prompts as both clickfix and filefix. the differentiating factor here is that the end user is instructed to open powershell, paste their clipboard content, and press enter. figure 10 : terminal…”
T1204.004Malicious Copy and Paste
85%
“browser will then open the operating system ' s native file navigation application like file explorer on windows or finder on macos. figure 6 : code snippet : sample in the wild filefix html element to upload a file the html code to copy a command to the affected user ’ s clipboa…”
T1204.004Malicious Copy and Paste
84%
“##ppet of in the wild clickfix javascript clipboard manipulation follow - on execution the initial command is base64 encoded. once decoded, the following headless conhost. exe command is executed. figure 4 : code snippet of deobfuscated clickfix javascript clipboard command to pu…”
T1204.004Malicious Copy and Paste
71%
“the malicious commands from the previous examples we ’ ve already discussed. clickfix attack variants : prerequisites and host artifacts now that we know how each variation works, we can start to identify what is needed in order for each to be successful. looking over each techni…”
T1566.002Spearphishing Link
66%
“. as we move right across the table, we can start to get more specific and start to apply a few chokepoints to alert on several iterations of the same technique over time. this enables defenders to create several types of rules that can be suited for researchers, threat hunters, …”
T1204.004Malicious Copy and Paste
61%
“cmd. exe execution. this is followed by a curl. exe process executing to retrieve and execute a secondary payload. figure 18 : clickfix process chain additionally, explorer. exe also generates some registry artifacts. within the runmru key, we can see the whole conhost. exe comma…”
T1204.002Malicious File
55%
“be given a different command to execute. the following function tries to detect what os the user visiting the webpage is using with the navigator interface via the platform and user agent properties. figure 12 : code snippet : in the wild terminalfix os detection figure 13 : code…”
T1204User Execution
54%
“the malicious commands from the previous examples we ’ ve already discussed. clickfix attack variants : prerequisites and host artifacts now that we know how each variation works, we can start to identify what is needed in order for each to be successful. looking over each techni…”
T1204.001Malicious Link
49%
“clickfix attack : variants, detection & how it works | huntress executive summary since the inception of clickfix last year, this malicious copy - and - paste technique has become an initial access vector of choice for threat actors looking to exploit the human psyche, evade defe…”
T1566.001Spearphishing Attachment
47%
“to figure out a starting point to detect new ttps when they ’ re reported. this technical analysis reveals that effective detection requires monitoring legitimate system tools being weaponized through user interaction, making behavioral analytics and process relationship monitori…”
T1204.002Malicious File
38%
“stream data, we can see this file came from zone 3, which indicates this file is from the internet ( 127. 0. 0. 1 address is shown since the testing was done locally ). in addition to the referrerurl, we are also provided the contents of the file. figure 24 : downloadfix file eve…”

Summary

Learn how ClickFix techniques like FileFix, TerminalFix, and DownloadFix trick users into compromising. Then, learn proven detection methods using chokepoint strategies and behavioral analytics.