Thought CAPTCHA Protected You from Bots? Now It Turns People Into Bots – And They Launch the Viruses Themselves
Now even Windows Explorer is working against you.
A social engineering technique called ClickFix, based on deceptive CAPTCHA prompts, has seen a massive surge in popularity among cybercriminals over the past year. According to ESET, from July 2024 to June 2025, the number of attacks using ClickFix as the initial infection vector has increased by an astonishing 517%.
ClickFix is a relatively simple yet highly effective method for tricking users into executing malicious code themselves. Victims are shown a fake error message or a CAPTCHA form that supposedly needs confirmation. They are then instructed to copy a provided text and paste it either into the Run dialog in Windows or the macOS Terminal, which results in the execution of a dangerous script.
Experts note that the list of threats distributed via ClickFix continues to grow. These include spyware, ransomware, remote access trojans (RATs), cryptocurrency miners, post-exploitation tools, and even advanced malware developed by state-sponsored actors.
The highest ClickFix activity has been recorded in Japan, Peru, Poland, Spain, and Slovakia. The effectiveness of the technique has led to the emergence of specialized toolkits offering ready-made pages with integrated ClickFix scripts to cybercriminals.
In parallel, another dangerous scheme has appeared, known as FileFix, demonstrated by a researcher under the alias mrd0x. Unlike ClickFix, FileFix doesn’t exploit the command line, but instead leverages a lesser-known Windows Explorer feature that allows system commands to be executed via the address bar.
The FileFix attack scenario works as follows: the victim is shown a fake page displaying a message about a supposedly received document. The user is instructed to open Windows Explorer and paste a path copied from the clipboard. Instead of a real path, the clipboard contains a hidden PowerShell command, prefixed with a fake comment and spaces to visually disguise the malicious payload. When executed, the user's computer becomes compromised.
The rise of ClickFix and related schemes clearly demonstrates how even basic social engineering tricks can remain highly effective when combined with technical loopholes and psychological manipulation.
