Preventing the ClickFix Attack Vector

In this article, we share hunting tips and mitigation strategies for ClickFix campaigns and provide an inside view of some of the most prominent ClickFix campaigns we have seen so far in 2025:

• Attackers distributing NetSupport remote access Trojan (RAT) are ramping up activities with a new loader
• Attackers distributing Latrodectus malware are luring victims with a new ClickFix campaign
• Prolific Lumma Stealer campaign targeting multiple industries with new techniques

ClickFix is an increasingly popular technique that threat actors use in social engineering lures. This technique tricks potential victims into executing malicious commands, under the pretense of conducting “quick fixes” for common computer issues.

These campaigns use the reputations of legitimate products and services to hide their activities in a way that makes them more difficult to spot. This does not imply that the author of the executable file is at fault or liable for the outcome caused by the malware.

ClickFix campaigns have impacted organizations in a wide variety of industries, including:

• High technology
• Financial services
• Manufacturing
• Wholesale and retail
• State and local government
• Professional and legal services
• Utilities and energy

Unit 42 has recently assisted in almost a dozen incident response cases in which a ClickFix lure was the initial access vector.

An effective ClickFix lure could enable threat actors to perform a complete takeover of the targeted organization. These lures can be fairly simple for threat actors to prepare, leaving organizations susceptible to credential gathering, mail theft and even ransomware incidents.

We identified two variations of this technique:

• Instructing a target to run malicious commands in the Run window by pressing Windows Key + R (Win+R)
• Instructing a potential victim to run malicious commands in a terminal window by pressing Windows Key + X (Win+X)

Palo Alto Networks customers are better protected from the threats described here through the following products and services:

Before we examine the ClickFix technique, we must better understand what ClickFix is and how prevalent it has become in recent months.

ClickFix is a relatively new social engineering technique that threat actors increasingly use in attack campaigns. This technique misleads targeted users into applying “quick fixes” to common computer issues, such as performance issues, missing drivers or pop-up errors. In recent months, many of the lures using the ClickFix technique have been fake verification pages asking victims to complete an action before supposedly continuing to the viewer’s intended destination.

Threat actors often deliver these lures through:

• Legitimate but compromised websites
• Malvertising
• YouTube tutorials
• Fake tech support forums

We have been closely monitoring ClickFix lures in recent months and have found scores of variants that deliver multiple malware families. Figure 1 shows the distribution of cases per week.

Our researchers also noted the impact of ClickFix across a wide variety of business sectors, as shown in Figure 2.

Three of the most prominent campaigns we have observed so far in 2025 show how threat actors have integrated ClickFix into the attack flow of various malware families.

During ClickFix-related activity hunting, we identified one particularly prolific campaign that was active in May 2025. In this campaign, attackers using NetSupport RAT impacted various industries, including:

• Healthcare
• Legal services
• Telecommunications
• Retail
• Mining

This ClickFix campaign distributing NetSupport RATs leverages distribution domains that masquerade as legitimate and popular services:

• DocuSign: A digital platform for signing, sending and managing documents electronically.
• Okta: A platform that helps companies manage and secure user access to applications and systems. It provides single sign-on (SSO), multifactor authentication and identity management services.

Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not imply that the legitimate product is flawed or malicious.

Figures 3 and 4 show the fake DocuSign and Okta landing pages:

During March-April 2025, we noticed an increasing amount of traffic to Latrodectus-controlled domains. We also saw a shift in infection strategy, as attackers distributing Latrodectus started to use the ClickFix technique in their initial access vectors.

This Latrodectus attack chain begins when a person visits a legitimate, but compromised website. Then, ClearFake infrastructure redirects the site visitor to a fake verification page. This page presents a prompt instructing the viewer to run a command via the Run dialog, while the malicious JavaScript backend injects a PowerShell command into the endpoint’s clipboard.

Figure 8 below shows the lure and the subsequent redirection chain from the compromised site.

When victims paste and execute the injected command, they do not see the command itself. What they do see is the final comment at the end of the script (Cloud Identificator: 2031), which looks like part of a normal authentication process. However, upon execution, the script uses curl.exe to download a JavaScript file from a command-and-control (C2) server. It then executes the file via Cscript, as Figure 9 shows.

Since its emergence in mid-2024, attackers have frequently delivered Latrodectus through a chain that includes a malicious JavaScript file downloading a Microsoft Software Installer (MSI) file that drops Latrodectus. In this case, the executed JavaScript file (la.txt) retrieves an MSI file from a remote server and runs it using msiexec.exe.

Unlike earlier campaigns where the JavaScript downloader was typically bloated and obfuscated with nonsensical comments, this variant employs large junk JSON variables that have seemingly legitimate names, such as var_Apple_Palantir38 and func_Slack_encryption84. Figure 10 shows a comparison of the obfuscation techniques used in past and recent Latrodectus campaigns.

ClickFix attacks often leave easily detectable traces, especially when the people who view these lures are unfamiliar with opening administrative interfaces, making them more likely to paste a malicious command string into a Run window.

Windows maintains a registry key that stores the most recently executed commands from the Run window (Win + R), called RunMRU:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

This registry key saves any commands that are executed from the Run window, enabling analysts to parse these entries to look for signs of suspicious usage.

Some key indicators for suspicious RunMRU contents could be:

• Obfuscated content
• Keywords related to the download and execution of payloads from unknown or suspicious domains
• Keywords indicating calls to administrative interfaces

These entries indicate that someone might have manually triggered such commands, which is consistent with a ClickFix infection flow.

The ClickFix technique is a growing threat, with dynamically shifting approaches in its implementation. Threat actors leverage ClickFix in attacks against organizations, exploiting human error for propagation and persistence.

This article explored three prominent ClickFix campaigns — NetSupport RAT, Latrodectus and Lumma Stealer — all of which are constantly adapting and incorporating new techniques.

Practical methodologies for hunting and detecting ClickFix lures include investigating EDR telemetry or Windows Event Logs for suspicious events, activities and patterns.

Proactively addressing this evolving threat is vital to the ongoing security of organizations. To this end, efforts should be made to increase awareness by educating personnel to be wary of ClickFix lures. This should be done while also setting up defense and monitoring measures based on our hunting suggestions.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

SHA256 Hashes From Lumma Stealer Example

• Filename PartyContinued.exe: 2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef
• Filename Boat.pst (a CAB file): 06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7

Domains From Lumma Stealer Example

• iplogger[.]co
• stuffgull[.]top
• sumeriavgv[.]digital
• pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev
• pub-626890a630d8418ea6c2ef0fa17f02ef.r2[.]dev
• pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev
• pub-a5a2932dc7f143499b865f8580102688.r2[.]dev
• pub-7efc089d5da740a994d1472af48fc689.r2[.]dev
• agroeconb[.]live
• animatcxju[.]live

SHA256 Hashes From Latrodectus Example

• Filename libecf.dll: 5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1
• PowerShell Downloader: 52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293
• JavaScript Downloader: 57e75c98b22d1453da5b2642c8daf6c363c60552e77a52ad154c200187d20b9a
• JavaScript Downloader: 33a0cf0a0105d8b65cf62f31ec0a6dcd48e781d1fece35b963c6267ab2875559

C2 URLs From Latrodectus Example

• hxxps[:]//webbs[.]live/on/
• hxxps[:]//diab[.]live/up/
• hxxps[:]//mhbr[.]live/do/
• hxxps[:]//decr[.]live/j/
• hxxps[:]//lexip[.]live/n/
• hxxps[:]//rimz[.]live/u/
• hxxps[:]//byjs[.]live/v/
• hxxps[:]//btco[.]live/r/
• hxxps[:]//izan[.]live/r/
• hxxps[:]//k.veuwb[.]live/234
• hxxps[:]//r.netluc[.]live
• heyues[.]live
• hxxps[:]//k.mailam[.]live/234234

SHA256 Hashes From NetSupport RAT Example

• Filename data_3.bin (XOR encrypted stager): 5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D
• Filename data_4.bin (XOR encrypted shellcode): 9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288
• Filename msvcp140.dll (loader): CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527
• NetSupport Loader Mutex:
  nx0kFgSPY8SDVhOMjmNgW
• libsqlite3-0.dll: 506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a
• File location C:\ProgramData\SecurityCheck_v1\client32.exe: 3ACC40334EF86FD0422FB386CA4FB8836C4FA0E722A5FCFA0086B9182127C1D7

Domains for the Loader From the NetSupport RAT Example

• oktacheck.it[.]com
• doccsign.it[.]com
• docusign.sa[.]com
• dosign.it[.]com
• loyalcompany[.]net
• leocompany[.]org
• 80.77.23[.]48
• mhousecreative[.]com

C2 Domains From the NetSupport RAT Example

• mh-sns[.]com
• lasix20[.]com