Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure for Software Supply Chain Security
Get Free TrialMore about Spectra Assure Free TrialReversingLabs' new threat intelligence report details the Malware-as-a-Service economy fueling ClickFix Campaigns and Introduces a YARA Rule to detect threats
Cambridge, MA—July 14, 2026—ReversingLabs (RL), the trusted name in file and software security, today published new threat intelligence research on ClickFix, a fast-growing social engineering technique that tricks users into infecting their own computers.
The research is detailed in a new report, “Copy, Paste, Compromise: The Tale of ClickFix” by RL researcher Toni Dujmović and the RL threat intelligence team.
ClickFix succeeds by convincing victims to copy a malicious command and paste it into the Windows Run dialog or macOS Terminal. That triggers a malware payload that doesn't require a file download or a software vulnerability to execute. Victims are lured by pages that mimic familiar prompts like CAPTCHA checks and browser update notices. Because the resulting commands run through legitimate tools like PowerShell, the activity looks identical to normal computer use. This is precisely why ClickFix evades traditional antivirus and EDR tools, and different detection approaches are needed.
Based on an analysis of more than 4,000 ClickFix samples identified from RL’s industry-leading repository of more than 422 billion samples, RL researcher Toni Dujmović found that the thriving Malware-as-a-Service economy is fueling ClickFix's success, with complete attack kits now being sold on underground forums, ranging from $250 per month options to $1,800 lifetime licenses.
Lumma Stealer remains the most common payload delivered through ClickFix. However, RL researchers observed remote access Trojans including DarkGate, XWorm and SectopRAT that are increasingly used to gain hands-on-keyboard access to compromised systems. The report also tracks the emergence of new ClickFix variants, including CrashFix and ConsentFix, each targeting a different part of the user's workflow.
“ClickFix works because rather than attacking a piece of software, it attacks the user’s trust in what looks like a normal security check,” said Mario Vuksan, CEO and founder of ReversingLabs. “That's exactly why traditional antivirus and EDR tools struggle with it. Our research shows that structural detection, not signature matching, holds the key to detecting this threat, and we're releasing that capability as an open-source YARA rule so security teams can put it to use immediately.”
To empower organizations to reliably detect ClickFix campaigns,, RL built a YARA rule that identifies structural characteristics shared by ClickFix lure pages. These include fake verification prompts, PowerShell payload indicators, and clipboard-manipulation code, regardless of which payload or infrastructure a given campaign uses.
After running the rule against its collection of 4,000 ClickFix samples, RL flagged 123 confirmed ClickFix lures that had evaded every antivirus engine checking them, including samples first seen within 48 hours of analysis.
What caught the threat was a YARA rule designed to perform a structural analysis of the lure page itself, including the HTML and JavaScript scaffolding, before any payload ever runs, since each component of a ClickFix attack looks normal on its own.
That kind of detection is only possible when a rule can be validated against goodware at scale. RL built and validated the rule in Spectra Analyze against its curated, non-crowdsourced repository of more than 422 billion samples, allowing it to separate those lures from millions of legitimate pages without drowning analysts in false positives. The rule ships open source, and security teams can deploy it in Spectra Analyze today to retro-hunt for ClickFix lures already sitting in their environment, validate new variants as the Fix-family evolves, and pivot from a match to full deconstruction in the same workbench. The open-source YARA rule is available at https://github.com/reversinglabs/reversinglabs-yara-hunting-rules
The report also walks through a real-world ClickFix case, where RL researchers were alerted to a fake CAPTCHA page appearing on a university’s student association website. Investigation of the compromised site revealed a multi-stage attack that used Ethereum smart contracts to host and distribute malware, tracked victims through a real-time analytics dashboard, and ultimately delivered a fully custom remote access Trojan built with three separate layers of obfuscation.
In addition, the report includes hardening guidance for security teams, including PowerShell Constrained Language Mode, script block logging, application control policies, and clipboard monitoring, along with detection and monitoring recommendations for identifying ClickFix activity that hardening alone does not stop.
The full report, “Copy, Paste, Compromise: The Tale of ClickFix,” is available now at www.reversinglabs.com/clickfix.
ReversingLabs is the trusted name in file and software security. We provide a modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, RL Spectra Core powers the software supply chain and file security insights, tracking over 422 billion searchable files with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.