Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Ongoing ClickFix Campaign
Alerts

Ongoing ClickFix Campaign

10 July 2025

There have been reports of threat actors using a social engineering technique known as ClickFix to trick potential victims into executing malicious commands.

Background

There have been reports of threat actors using a social engineering technique known as ClickFix to trick potential victims into executing malicious commands under the pretense of providing “quick fixes” for common computer issues. ClickFix has reportedly targeted organisations across a broad range of sectors, including the technology, financial services, manufacturing, wholesale and retail, government, professional and legal services, utilities and energy.

What is ClickFix?

ClickFix is a relatively new social engineering technique increasingly used by threat actors in their campaign. This technique misleads targeted users into applying supposed “quick fixes” for common computer issues, such as performance issues, missing drivers or pop-up errors. Since it's initial reports in 2024, ClickFix has resulted in multiple malware distribution campaigns involving compromised websites, malicious distribution infrastructure and e-mail phishing.

Tactics, Techniques and Procedures (TTPs)

The ClickFix technique relies on clipboard hijacking, where malicious software secretly intercepts and modifies information that victims copy and paste on their devices. It typically uses dialogue boxes containing fake error messages to trick victims into copying malicious script or commands on their own clipboards using ClickFix inject before providing instructions to paste and run the malicious content. In recent months, threat actors have also been observed to use fake verification pages requesting victims to complete an action before redirecting them to their intended webpage. An example of a ClickFix campaign pop-up message is shown in Annex A.

The victims typically follow a three-step process that enables the execution of malicious PowerShell commands:

  1. Open a Windows Run dialog box

  1. Automatically or manually copy and paste a malicious PowerShell command into the terminal [press 'CTRL+V'] 

  1. And run the prompt [press ‘Enter’] 

Because the ClickFix technique relies on users pasting the content, this is sometimes referred to as “pastejacking.” Threat actors often use the ClickFix technique as an initial infection vector to deploy malicious payloads such as infostealers, remote access trojans (RATs) or disable existing security tools. 

This delivery method bypasses many standard detection and prevention controls, as the attack does not depend on any exploit, attachment or malicious link. Instead, potential victims unknowingly run the malicious command themselves, through a trusted system shell. This method makes infections from ClickFix more difficult to detect than drive-by downloads or traditional malware droppers.

Impact

Successful execution of the ClickFix technique can lead to the deployment of various malware families, including the NetSupport RAT, Latrodectus, and Lumma Stealer, resulting in credential theft, data exfiltration, email account compromise, and potential ransomware incidents. Threat actors can utilise their access to compromised systems to perform privilege escalation and move laterally across other systems within the network.

How to Protect Your Organisations

Organisations are advised to adopt the following mitigation measures to safeguard against the ClickFix Campaign:

  • Remain vigilant against fake “CAPTCHA” or “Fix It” prompts and recognise the tell-tale signs (e.g. unexpected run-dialog instructions) of the ClickFix campaign.

  • Update your systems, applications and software to the latest versions and use an up-to-date anti-virus software to detect malware and malicious phishing links. 

  • Implement Security Information and Event Management (SIEM) solutions to perform logging, asset visibility, and continuous system monitoring to detect anomalous network connections and malicious PowerShell commands.

  • Enforce strict access control policies, ensuring users and systems only have the minimum permissions necessary. This limits the impact of a successful compromise by preventing privilege escalation and lateral movement.

  • Implement application whitelisting to allow only approved software and scripts to execute, effectively blocking unknown executables and malicious PowerShell scripts typically used in ClickFix campaigns.

Administrators may wish to consider tracking and blocking the Indicators of Compromise (IOCs) associated with the ClickFix campaign. Possible IOCs associated with the ClickFix campaign are shown in the table below:

Indicators of Compromise (SHA256)

Malware Variant

SHA256

File Name

Lumma Stealer

2bc23b53bb76e59d84b0175e8cba68695a21ed74be9327f0b6ba37edc2daaeef

PartyContinued.exe

Lumma Stealer

06efe89da25a627493ef383f1be58c95c3c89a20ebb4af4696d82e729c75d1a7

Boat.pst

Latrodectus

5809c889e7507d357e64ea15c7d7b22005dbf246aefdd3329d4a5c58d482e7e1

libecf.dll


Latrodectus

52e6e819720fede0d12dcc5430ff15f70b5656cbd3d5d251abfc2dcd22783293

PowerShell Downloader

Latrodectus

57e75c98b22d1453da5b2642c8daf6c363c60552e77a52ad154c200187d20b9a

JavaScript Downloader

Latrodectus

33a0cf0a0105d8b65cf62f31ec0a6dcd48e781d1fece35b963c6267ab2875559

JavaScript Downloader

NetSupport RAT

5C762FF1F604E92ECD9FD1DC5D1CB24B3AF4B4E0D25DE462C78F7AC0F897FC2D

data_3.bin

NetSupport RAT

9DCA5241822A0E954484D6C303475F94978B6EF0A016CBAE1FBA29D0AED86288

data_4.bin

NetSupport RAT

CBAF513E7FD4322B14ADCC34B34D793D79076AD310925981548E8D3CFF886527

msvcp140.dll

NetSupport RAT

506ab08d0a71610793ae2a5c4c26b1eb35fd9e3c8749cd63877b03c205feb48a

libsqlite3-0.dll

Indicators of Compromise (C2)

Malware Variant

C2 Domains

Lumma Stealer

iplogger[.]co

Lumma Stealer

stuffgull[.]top

Lumma Stealer

sumeriavgv[.]digital

Lumma Stealer

pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev

Lumma Stealer

pub-626890a630d8418ea6c2ef0fa17f02ef.r2[.]dev

Lumma Stealer

pub-164d8d82c41c4e1b871bc21802a18154.r2[.]dev

Lumma Stealer

pub-a5a2932dc7f143499b865f8580102688.r2[.]dev

Lumma Stealer

pub-7efc089d5da740a994d1472af48fc689.r2[.]dev

Lumma Stealer

agroeconb[.]live

Lumma Stealer

animatcxju[.]live

Latrodectus

hxxps[:]//webbs[.]live/on/

Latrodectus

hxxps[:]//diab[.]live/up/

Latrodectus

hxxps[:]//mhbr[.]live/do/

Latrodectus

hxxps[:]//decr[.]live/j/

Latrodectus

hxxps[:]//lexip[.]live/n/

Latrodectus

hxxps[:]//rimz[.]live/u/

Latrodectus

hxxps[:]//byjs[.]live/v/

Latrodectus

hxxps[:]//btco[.]live/r/

Latrodectus

hxxps[:]//izan[.]live/r/

Latrodectus

hxxps[:]//k.veuwb[.]live/234

Latrodectus

hxxps[:]//r.netluc[.]live

Latrodectus

heyues[.]live

Latrodectus

hxxps[:]//k.mailam[.]live/234234

NetSupport RAT (Loader)

oktacheck[.]it[.]com

NetSupport RAT (Loader)

doccsign[.]it[.]com

NetSupport RAT (Loader)

docusign[.]sa[.]com

NetSupport RAT (Loader)

dosign[.]it[.]com

NetSupport RAT (Loader)

loyalcompany[.]net

NetSupport RAT (Loader)

leocompany[.]org

NetSupport RAT (Loader)

80.77.23[.]48

NetSupport RAT (Loader)

mhousecreative[.]com

NetSupport RAT

mh-sns[.]com

NetSupport RAT

lasix20[.]com

Annex A: Example of a ClickFix Campaign Pop-up Message

Annex A: Example of a ClickFix Campaign Pop-up Message

More information is available here:

https://www.proofpoint.com/uk/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique/

https://www.kaspersky.com/blog/what-is-clickfix/53348/

Back to top