Report: Accelerating ClickFix Attacks Evade Antivirus and EDR Defenses

ReversingLabs' new threat intelligence report details the Malware-as-a-Service economy fueling ClickFix Campaigns and Introduces a YARA Rule to detect threats

Cambridge, MA—July 14, 2026—ReversingLabs (RL), the trusted name in file and software security, today published new threat intelligence research on ClickFix, a fast-growing social engineering technique that tricks users into infecting their own computers. 

The research is detailed in a new report, “Copy, Paste, Compromise: The Tale of ClickFix” by RL researcher Toni Dujmović and the RL threat intelligence team.

Key Highlights:

  • ClickFix exploits a blind spot in AV and EDR by running through legitimate tools like PowerShell, making it look like normal computer use.
  • Signature-based detection fails because each piece of a ClickFix attack looks normal alone.
  • RL validated its open-source YARA rule against a 422-billion-sample repository in Spectra Analyze, flagging 123 confirmed ClickFix lures that evaded every antivirus engine.  The open-source YARA rule is available now.

ClickFix succeeds by convincing victims to copy a malicious command and paste it into the Windows Run dialog or macOS Terminal. That triggers a malware payload that doesn't require a file download or a software vulnerability to execute. Victims are lured by pages that mimic familiar prompts like CAPTCHA checks and browser update notices. Because the resulting commands run through legitimate tools like PowerShell, the activity looks identical to normal computer use. This is precisely why ClickFix evades traditional antivirus and EDR tools, and different detection approaches are needed.

Malware-as-a-Service (MaaS) driving ClickFix campaigns 

Based on an analysis of more than 4,000 ClickFix samples identified from RL’s industry-leading repository of more than 422 billion samples, RL researcher Toni Dujmović found that the thriving Malware-as-a-Service economy is fueling ClickFix's success, with complete attack kits now being sold on underground forums, ranging from $250 per month options to $1,800 lifetime licenses. 

New ClickFix payloads identified

Lumma Stealer remains the most common payload delivered through ClickFix. However, RL researchers observed remote access Trojans including DarkGate, XWorm and SectopRAT that are increasingly used to gain hands-on-keyboard access to compromised systems. The report also tracks the emergence of new ClickFix variants, including CrashFix and ConsentFix, each targeting a different part of the user's workflow.

“ClickFix works because rather than attacking a piece of software, it attacks the user’s trust in what looks like a normal security check,” said Mario Vuksan, CEO and founder of ReversingLabs. “That's exactly why traditional antivirus and EDR tools struggle with it. Our research shows that structural detection, not signature matching, holds the key to detecting this threat, and we're releasing that capability as an open-source YARA rule so security teams can put it to use immediately.”

ReversingLabs YARA Rule Surfaces Lures That Evaded Every Antivirus Engine

To empower organizations to reliably detect ClickFix campaigns,, RL built a YARA rule that identifies structural characteristics shared by ClickFix lure pages. These include fake verification prompts, PowerShell payload indicators, and clipboard-manipulation code, regardless of which payload or infrastructure a given campaign uses. 

After running the rule against its collection of 4,000 ClickFix samples, RL flagged 123 confirmed ClickFix lures that had evaded every antivirus engine checking them, including samples first seen within 48 hours of analysis.

What caught the threat was a YARA rule designed to perform a structural analysis of the lure page itself, including the HTML and JavaScript scaffolding, before any payload ever runs, since each component of a ClickFix attack looks normal on its own. 

That kind of detection is only possible when a rule can be validated against goodware at scale. RL built and validated the rule in Spectra Analyze against its curated, non-crowdsourced repository of more than 422 billion samples, allowing it to separate those lures from millions of legitimate pages without drowning analysts in false positives. The rule ships open source, and security teams can deploy it in Spectra Analyze today to retro-hunt for ClickFix lures already sitting in their environment, validate new variants as the Fix-family evolves, and pivot from a match to full deconstruction in the same workbench. The open-source YARA rule is available at https://github.com/reversinglabs/reversinglabs-yara-hunting-rules

New Attack on University Campus

The report also walks through a real-world ClickFix case, where RL researchers were alerted to a fake CAPTCHA page appearing on a university’s student association website. Investigation of the compromised site revealed a multi-stage attack that used Ethereum smart contracts to host and distribute malware, tracked victims through a real-time analytics dashboard, and ultimately delivered a fully custom remote access Trojan built with three separate layers of obfuscation. 

In addition, the report includes hardening guidance for security teams, including PowerShell Constrained Language Mode, script block logging, application control policies, and clipboard monitoring, along with detection and monitoring recommendations for identifying ClickFix activity that hardening alone does not stop.

The full report, “Copy, Paste, Compromise: The Tale of ClickFix,” is available now at www.reversinglabs.com/clickfix.

About ReversingLabs

ReversingLabs is the trusted name in file and software security. We provide a modern cybersecurity platform to verify and deliver safe binaries. Trusted by the Fortune 500 and leading cybersecurity vendors, RL Spectra Core powers the software supply chain and file security insights, tracking over 422 billion searchable files with the ability to deconstruct full software binaries in seconds to minutes. Only ReversingLabs provides that final exam to determine whether a single file or full software binary presents a risk to your organization and your customers.

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabs
ReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsBlack Hat 2026
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu