RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Why RL Built Spectra Assure Community

Why RL Built Spectra Assure Community

We set out to help dev and AppSec teams secure the village: OSS dependencies, malware, more. Learn how.

Read More about Why RL Built Spectra Assure Community
Why RL Built Spectra Assure Community

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsBlack Hat 2026
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu
Security OperationsJuly 14, 2026

The tale of ClickFix: 5 takeaways from RL’s new threat report

New RL research explains why ClickFix attacks are multiplying — and why reliable detection requires going beyond AV and EDR.

paul roberts headshot black and white
Paul Roberts, Director of Content and Editorial at RLPaul Roberts
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
The tale of ClickFix: 5 takeaways from RL’s new threat report

Somewhere between a fake CAPTCHA page and an open Run dialog, the security model at most organizations breaks down. That is the uncomfortable conclusion of ReversingLabs' new threat research report, "Copy, Paste, Compromise: The Tale of ClickFix," by RL researcher Toni Dujmović and the RL Threat Intelligence Research team.

ClickFix, a social engineering technique first identified in 2023, is one of the most widely deployed attack methodologies in the current threat landscape — precisely because to most threat detection tools, it does not look like an attack. That’s because ClickFix campaigns get the victim — trusted employees — to do the dirty work: pasting a command already loaded to their clipboard into Run dialogues and terminals, and then pressing Enter allowing a payload to run  in memory. No exploit. No zero day. No files written to disk in a form that triggers signatures. Just a confused and trusting user trying to stay productive.

RL’s report unpacks the ClickFix attack chain, explores its reliance on Malware-as-a-Service (MaaS) infrastructure; and examines a live watering-hole campaign - and the open-source YARA rule RL built to detect it.

What is the message for IT and security teams? Here are the five findings that matter most.

[ Download the report: Copy, Paste, Compromise: The Tale of ClickFix ]

1. Traditional defenses are blind to ClickFix — by design

ClickFix is engineered to bypass both antivirus and EDR protections. Execution runs through legitimate user actions and trusted system utilities — PowerShell, mshta.exe, curl, wscript.exe — the "living off the land" binaries (LOLBins) that endpoint tools are programmed to trust. From the standpoint of an endpoint detection and response (EDR) client, a user launching PowerShell is legitimate - no matter whether they are running an IT maintenance script or a Lumma Stealer dropper.

ClickFix campaigns compound the problem by rotating infrastructure aggressively. By the time hash- or domain-based detections are deployed, the campaign has moved on: utilizing new and previously unknown command and control (C2) infrastructure, malware and so on. Some campaigns go further, using Ethereum smart contracts as command-and-control infrastructure that is not detectable by AV and EDR solutions and  immune to domain takedowns. The result: few of the malware signals traditional defenses are calibrated to detect are associated with ClickFix campaigns, creating a structural gap that cannot be closed.

2. A thriving MaaS economy sells ClickFix by subscription

Another factor driving the spread of ClickFix is the growing availability of malware-as-a-service (MaaS) platforms for managing malicious campaigns. According to the report, complete ClickFix attack kits are for sale on underground forums for $250 per month to $1,800 for a lifetime license — with software updates and a wide variety of lures included. AV-bypass capability is advertised as a feature, not a side effect, and an affiliate program widens distribution further.

The consequence is commoditization. Campaigns can now be launched -at scale -by threat actors with no meaningful malware development capability, and campaign volume is accelerating with no corresponding increase in attacker skill. The barrier to participation is a credit card or crypto wallet.

3. The payload catalog is expanding beyond infostealers

A key conclusion of the report is that the list of malicious applications linked to ClickFix campaigns is growing rapidly. Lumma Stealer remains the most prolific ClickFix payload, but the threat is diversifying fast. Remote access Trojans — DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT — are now regularly delivered via ClickFix, enabling hands-on-keyboard post-exploitation: lateral movement, persistence, and data exfiltration. Multi-stage loaders such as GHOSTPULSE and rootkits including a modified r77 add further severity.

That shift matters for triage. A ClickFix detection is no longer just a credential-theft event; it is potentially the first stage of a full network compromise.

4. The technique is evolving

The RL report makes clear that ClickFix is not a static threat for organizations. Instead, it is rapidly evolving amidst an active development cycle. In January 2026, for example, a ClickFix variant dubbed “CrashFix” emerged. It deliberately crashes the victim's browser before presenting a social engineering lure to "restore" it. Researchers have documented a growing family of Fix-type tradecraft: FileFix (abusing Windows File Explorer), PromptFix (targeting AI tooling), and ConsentFix (abusing OAuth authentication flows).

Any detection strategy pinned to today's lure text or infrastructure will age out quickly and become irrelevant. Defenses need to target what stays stable across variants.

5. Attackers profile victims before they ever see a lure

ClickFix campaigns run reconnaissance at scale. Operators profile potential victims using real-time dashboards powered by free web analytics tools such as Yandex Metrica, assign unique UUIDs on first site visit, and query blockchain smart contracts to identify already compromised visitors and avoid re-attacking them. The profiling keeps campaign visibility low while maximizing return per target. It also means the lure an analyst fetches for inspection may not be the lure the victim saw.

RL's report deconstructs one such campaign: a compromised university website used as a watering hole to target students. That analysis uncovered multiple threats including the convincing lure used to draw in students (a fake CAPTCHA page); an anti-analysis gate; and the zuhe.dll RAT used to check for 14 known sandbox environments before executing.

What caught ClickFix when signatures couldn't

Signature-based detection failed here for a structural reason: every ClickFix component classifies as normal on its own. A CAPTCHA page, a clipboard-writing JavaScript function, a PowerShell invocation — each is unremarkable when looked at in isolation. What caught the lures was conducting a structural analysis of the lure page itself — the HTML and JavaScript scaffolding — before any payload ran. 

RL's multi-condition YARA rule triggers only when fake verification characteristics, PowerShell payload indicators, and active clipboard manipulation appear together. No single string fires it. That approach is only possible when you can validate a rule against goodware at scale. That’s why RL's curated, non-crowdsourced repository of more than 422 billion samples is critical. It enabled our researchers to separate 123 confirmed lures — every one of which evaded every AV engine — from millions of legitimate pages, without drowning analysts in false positives. Of 4,062 total rule matches, those 123 confirmed lures included samples first observed within 48 hours of analysis: active-campaign coverage, not historical artifact detection.

The YARA rule in this report is open source. Spectra Analyze is where it goes to work. Deploy it against your existing file collections to retro-hunt lures already present, validate custom variants as the Fix-family evolves, and pivot from a match to full deconstruction in the same workbench.

Keep learning

  • Learn how Gartner® named RL a supply chain security 'visionary.' Download: Gartner® Magic Quadrant™ for Software Supply Chain Security.
  • Get key insights into why Gartner® identified binary analysis as a must-have control in its recent CISO Playbook for Commercial Software Supply Chain Security.
  • Get up to speed on the Agentic Development Security tools landscape in this webinar with Forrester Sr. Analyst Janet Worthington.
  • Take a deep dive on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Plus: Join the free Spectra Assure Community today to get hands-on with RL's binary analysis-based software supply chain security platform.

Tags:Security Operations

More Blog Posts

AI secops burnout

AI use in cybersecurity is on the rise — and so is burnout

The Life and Times of Cybersecurity Professionals study highlights a trend that has accelerated as cyber has become more complex.

Learn More about AI use in cybersecurity is on the rise — and so is burnout
AI use in cybersecurity is on the rise — and so is burnout
AI vs AI robots

Can AI beat AI? 3 challenges with VulnOps adoption

SecOps leaders must tackle cost and risk to deliver autonomous vulnerability operations. But with frontier AI, it's critical.

Learn More about Can AI beat AI? 3 challenges with VulnOps adoption
Can AI beat AI? 3 challenges with VulnOps adoption
SecOps and AI

Working with agentic AI: A SecOps survival guide

Agentic AI will disrupt how SOC teams are built — and the way CISOs hire. Here’s how to embrace AI.

Learn More about Working with agentic AI: A SecOps survival guide
Working with agentic AI: A SecOps survival guide
Post-quantum security

Crypto group ushers in post-quantum security

Here’s a look at the Ethereum Foundation’s new PQC security effort — and why you need to modernize your SecOps.

Learn More about Crypto group ushers in post-quantum security
Crypto group ushers in post-quantum security

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top