ClickFix is not a vulnerability. It is a social engineering technique that convinces a user to open a command prompt and paste a PowerShell or mshta command themselves – bypassing every application control, email gateway, and script-block policy that would have stopped the payload if it had arrived as an attachment. This page collects every ClickFix campaign I have analyzed, with the lure variants, the delivery chain, and the detection angles.

What is ClickFix?

ClickFix is a lure pattern where the attacker presents a fake error, verification step, or compatibility fix that requires the user to complete a manual step. The “fix” is a clipboard payload – a PowerShell command, a mshta URL, or an encoded batch script – that the page quietly injects into the user’s clipboard. The user opens a command prompt, pastes, and hits Enter.

The key insight is that the user is executing the payload. There is no exploit, no attachment, no suspicious email attachment to block. The process parent is either cmd.exe, powershell.exe, or WindowsTerminal.exe – all trusted system binaries. The process creation event looks exactly like a user running a command manually.

Why it works

• No file on disk until stage 2 or later. The initial command is pasted and run entirely in memory. Content filtering and attachment scanning see nothing.
• Bypasses execution policy without needing to change it. PowerShell commands typed at a prompt run regardless of execution policy. The -EncodedCommand flag and -ExecutionPolicy Bypass flags are common but not required.
• User is the trust anchor. Application control that blocks unsigned scripts or untrusted sources does not fire when the user is the one opening the terminal and pasting the command.
• Process tree looks benign. explorer.exe -> cmd.exe -> powershell.exe or WindowsTerminal.exe -> powershell.exe are common enough process chains that many environments do not alert on them.
• Low attribution surface. Lure pages are hosted on compromised or newly-registered domains, rotated frequently, and served only to IP ranges or user agents matching the target profile.

Lure variants

Three delivery variants have appeared in campaigns I have analyzed:

Fake CAPTCHA (browser-based) The page presents a CAPTCHA-style overlay with an “I am not a robot” verification. Clicking the verification silently writes a PowerShell command to the clipboard. The page then instructs the user to press Win+R, paste the command, and hit Enter. Some variants request the user open a PowerShell window directly.

Win+X / Windows Terminal (elevated prompt) The page instructs the user to press Win+X and select “Windows PowerShell” or “Terminal”. In newer Windows builds, Windows Terminal becomes the grandparent process, bypassing detections keyed specifically on explorer.exe -> cmd.exe.

Run dialog (Win+R) The simplest variant. The page tells the user to press Win+R, paste the command, and run. The parent becomes explorer.exe via the shell, and the command executes without a visible terminal window if powershell.exe -WindowStyle Hidden is included.

ClickFix campaigns analyzed on this site

Campaign	Lure variant	Stage 1 payload	Final payload	Post
prism-vertex	Fake CAPTCHA	mshta.exe + HTTPS URL (ZIP/MSIX polyglot)	12-layer obfuscated PowerShell beacon	Full write-up
finger-lolbin	Fake CAPTCHA (Win+R)	finger.exe TCP/79 batch downloader	IronPython + Mythic C2 framework	Full write-up
flomo-onedrive-sideload	Win+X / Windows Terminal	PowerShell ZIP downloader (devltd[.]top)	OneDrive DLL sideload -> Electron RAT	Full write-up

Detection strategy

ClickFix is hard to block at the perimeter because the lure is a webpage and the execution is user-initiated. Detection needs to focus on the unusual process chains and command-line patterns that result, not the delivery mechanism.

The Win+R parent chain (EID 4688 / Sysmon 1):

• explorer.exe -> powershell.exe or explorer.exe -> cmd.exe -> powershell.exe with download-indicative arguments (Invoke-WebRequest, iwr, DownloadFile, WebClient, mshta, encoded commands)
• Any mshta.exe child of explorer.exe with an HTTPS URL argument

The Win+X / Windows Terminal parent chain:

• WindowsTerminal.exe -> powershell.exe with download arguments – this bypasses detections keyed on explorer.exe
• wt.exe as grandparent process

Command-line red flags:

• -EncodedCommand with a long base64 string
• -ExecutionPolicy Bypass or -ep bypass
• Invoke-Expression or IEX as the first visible command
• finger.exe in the command line – near-zero legitimate use in any modern enterprise
• mshta.exe executing a remote URL

Script Block Logging (EID 4104):

• Decode-and-execute patterns: FromBase64String + Invoke-Expression or ScriptBlock::Create
• AMSI bypass patterns in the same event
• Download strings pointing to newly-registered or single-use domains

Network:

• mshta.exe, powershell.exe, or finger.exe making outbound HTTP/HTTPS connections immediately after process creation
• TCP/79 outbound from any workstation (finger protocol – essentially never legitimate)
• Domain patterns matching campaign C2 infrastructure: short-lived, unusual TLDs (.beer, .top, .info), newly-registered

Defensive controls

ClickFix is a social-engineering technique – technical controls reduce the blast radius but cannot eliminate the risk while users can open a terminal.

• Block or monitor mshta.exe. Most enterprises have no legitimate use for mshta executing remote URLs. An AppLocker or WDAC rule that prevents mshta.exe from making outbound network connections eliminates the prism-vertex delivery chain entirely at stage 1.
• Block finger.exe. No enterprise use. Block execution via AppLocker, WDAC, or Defender ASR. If a user pastes a ClickFix lure that uses finger as the downloader, the chain dies at stage 1 with no payload.
• Monitor WindowsTerminal.exe -> powershell.exe with download arguments. The Win+X variant bypasses rules keyed on explorer.exe as the parent. Alert on Windows Terminal or wt.exe as the initiating process for PowerShell with network-download command-line arguments.
• Enable Script Block Logging (EID 4104) and forward logs off-host. ClickFix payloads typically decode themselves in a 4104 event before executing. If the log is captured before the payload can clear it, the decoded command is available for analysis.
• User awareness. No technical control catches 100% of ClickFix variants. Users should be trained to recognise the “paste this in your terminal” instruction pattern as a social engineering lure, regardless of whether it is framed as a CAPTCHA, an update, or a compatibility fix.

Detection repo

YARA rules, Sigma detections, KQL queries, and IOC lists for ClickFix campaigns on this site are published at:

github.com/BlueTeamCoolTeam/detections

Campaign folders:

• campaigns/prism-vertex-clickfix/
• campaigns/finger-lolbin-ironpython/
• campaigns/flomo-onedrive-sideload/

Related write-ups

• ClickFix polyglot HTA/ZIP loader: mshta.exe + IE COM laundering + 12-layer obfuscation
• 7-stage ClickFix chain: finger.exe delivery + IronPython interpreter abuse
• ClickFix -> OneDrive DLL sideload -> Electron RAT hiding a payload in a PNG

Practical takeaway

ClickFix campaigns share one structural property: the user is the exploit. Every campaign here delivered its initial payload through a user action that looked like a routine terminal command. The controls that matter are the ones that either stop the specific binaries being abused (mshta.exe, finger.exe) or that catch the anomalous process tree and command-line patterns that follow. Script Block Logging is the best forensic tool after the fact – if logs are captured off-host before the payload runs, 4104 events typically contain the decoded command in full.