Hackers Leverage New ClickFix Tactic to Exploit Human Error with Deceptive Prompts

A sophisticated social engineering technique known as ClickFix baiting has gained traction among cybercriminals, ranging from individual hackers to state-sponsored Advanced Persistent Threat (APT) groups like Russia-linked APT28 and Iran-affiliated MuddyWater.

This method targets human end users as the weakest link in cybersecurity defenses, tricking them into executing malicious commands through seemingly benign prompts.

A Stealthy Social Engineering Threat Emerges

ClickFix campaigns have impacted diverse industries, including healthcare, hospitality, automotive, and government sectors, posing a significant threat to organizational security worldwide.

By leveraging familiar platforms like GitHub or deceptive phishing emails, attackers deliver payloads that initiate a chain of malicious activities, often bypassing traditional security measures with alarming ease.

Investigations by Darktrace’s Threat Research team, conducted in early 2025, have shed light on the intricate attack chain of ClickFix campaigns.

Attackers typically gain initial access through spear phishing links, drive-by compromises, or fake CAPTCHA prompts that redirect users to malicious URLs disguised as routine verification steps or error fixes.

Once misled, victims are guided through a deceptive three-step process opening a Windows Run dialog box, pasting a malicious PowerShell command, and executing it resulting in the installation of malware families like XWorm, Lumma, and AsyncRAT.

Darktrace’s anomaly-based detection identified these threats across customer environments in Europe, the Middle East, Africa, and the United States.

ClickFix Attack Lifecycle

In a specific incident on April 9, 2025, Darktrace / NETWORK flagged a new PowerShell user agent on a compromised device, indicating remote code execution and subsequent command-and-control (C2) communication with suspicious endpoints.

This was followed by the download of numerically named files often a hallmark of malware used for lateral movement and data exfiltration to IPs like 193.36.38[.]237, confirmed as malicious by multiple OSINT sources.

According to the Report, The attack culminated in automated data egress to a secondary C2 server, 188.34.195[.]44, highlighting the speed and stealth of ClickFix operations.

When configured in Autonomous Response mode, Darktrace successfully blocked connections to malicious endpoints within seconds, demonstrating the power of real-time threat containment.

Without such automation, manual intervention often fails to keep pace with the rapid progression of these attacks, allowing sensitive data to be stolen or further network compromise to occur.

Darktrace’s ability to correlate indicators of compromise (IoCs) and trigger high-priority alerts through its Enhanced Monitoring model underscores the need for adaptive, anomaly-driven cybersecurity solutions in combating evolving tactics like ClickFix that exploit human error with precision.

Indicators of Compromise (IoCs)