What? It Wasn’t a CAPTCHA. It Was Malware.
What Are *Fix-Family Attacks?
*Fix-family attacks, represented by ClickFix, FileFix, InstallFix, and similar techniques, are social engineering techniques that turn the moment when a user attempts to “fix a specific problem” into an attack surface. Attackers create contexts such as CAPTCHA verification failures, browser errors, file access issues, installation instructions, download failures, OAuth consent flows, or automated behavior by AI agents. They then induce the user to directly execute a command, copy and provide an authorization value, or cause an agent to perform an unintended action.
This is where Fix-family attacks differ from traditional web-based malware distribution methods. Traditional web-based malware distribution relied on browser vulnerabilities and similar weaknesses to deliver malware to the user’s environment. In contrast, Fix-family attacks distribute malware by inducing user behavior.
Types of Attacks
The *Fix family includes ClickFix, FileFix, TerminalFix, DownloadFix, ConsentFix, CrashFix, InstallFix, PromptFix, and others. These are not standardized terms defined by an official taxonomy such as MITRE ATT&CK. Instead, they are informally named with the “~Fix” suffix based on the characteristics of each attack.
*Fix-family attacks induce user behavior and then abuse Windows Run, PowerShell, Terminal, the File Explorer address bar, installation scripts, OAuth authorization codes, or the click and download behavior of AI browsers to distribute malware into the user’s environment.
Each *Fix attack has the following characteristics.
ClickFix
ClickFix is a social engineering technique that tricks users into copying malicious commands, pasting them into Windows Run, PowerShell, Terminal, or similar tools, and executing them.
Proofpoint stated that it first observed ClickFix in early March 2024 in campaigns related to TA571 and ClearFake. Microsoft also reported observing ClickFix techniques in Storm-1607 email campaigns between March and June 2024.
ClickFix appears in the form of fake CAPTCHA pages, Cloudflare verification pages, browser errors, document viewing issues, video conferencing device errors, and similar scenarios. Users believe they are performing a security verification or error recovery procedure, but in reality the action leads to remote script invocation, PowerShell execution, malware download, and the installation of stealers or RATs.
Through ClickFix, various stealers and RAT malware families have been distributed, including Lumma Stealer, Xworm, AsyncRAT, NetSupport, SectopRAT, Latrodectus, MintsLoader, Vidar Stealer, and DarkGate.

FileFix
FileFix is an attack technique created and disclosed by mr.d0x on June 23, 2025, as an adaptation of ClickFix. While traditional ClickFix uses the Windows Run dialog box or a terminal, FileFix abuses the Windows File Explorer address bar by making users believe they are uploading a file or entering a specific file path.
When the user pastes clipboard content into the address bar and presses Enter, the string that the user believes to be a file path is converted into command execution.
If FileFix is used to deliver a malicious payload, the resulting damage can be similar to ClickFix. Check Point explained that the threat actor it observed was linked to past ClickFix-based phishing campaigns targeting cryptocurrency platform users and was also associated with cases involving the installation of the NetSupport Manager remote access tool.

InstallFix
InstallFix is a ClickFix variant disclosed by Push Security in March 2026. It abuses the habit of users copying commands from a webpage that appears to be an official installation guide and pasting them into a terminal. Push Security explained that a fake Claude Code installation page exposed through Google Ads was designed to look like a legitimate installation guide, and that the command copied by the victim could lead to Amatera Stealer infection.
Developers, especially those using macOS environments, often install software by copying and pasting one-line commands such as brew commands into a terminal. InstallFix abuses this behavior by placing malicious commands inside a phishing site and inducing the user to execute those commands in the terminal.
The commands usually download and execute additional malware, resulting in damage similar to ClickFix.

TerminalFix
TerminalFix is a term covered by Huntress in a September 2025 comparison of ClickFix variants. This variant induces users to directly open PowerShell or a terminal, paste a command copied to the clipboard, and execute it. It is similar to InstallFix and applies to both Windows and macOS.
The difference from InstallFix is whether “software installation” is used as the attack medium. TerminalFix is characterized by inducing users to directly execute commands rather than using software installation as the main pretext.
DownloadFix
DownloadFix is a ClickFix variant that pretends a download has failed or been interrupted and causes the user to run a recovery tool. On June 23, 2025, Jean-Francois Maes disclosed a “bring your own Fix” variant inspired by mr.d0x’s ClickFix-family ideas, and Huntress classified it as DownloadFix.
However, DownloadFix currently has a strong proof-of-concept nature and has not been observed in the wild. Therefore, although it exists as a ClickFix variant, there have been no confirmed cases of real-world damage.
CrashFix
CrashFix is a ClickFix variant observed by Microsoft in January 2026 and disclosed on February 5, 2026. According to Microsoft, this attack occurred when victims searched for an ad blocker and were redirected through a malicious advertisement to the Chrome Web Store, where they installed a malicious extension impersonating uBlock Origin Lite.
After installation, the malicious extension caused the user’s browser to malfunction through denial-of-service behavior and then displayed a fake CrashFix security warning. The attacker induced the victim to execute a command in a Windows dialog box and used living-off-the-land techniques to abuse finger.exe, a legitimate Windows utility, to download and execute additional malware from the attacker’s C2 server.
In other words, CrashFix uses a browser extension or browser failure scenario to induce the user to execute attacker-controlled commands.

ConsentFix
ConsentFix is a browser-native ClickFix-style attack disclosed by Push Security in December 2025. Rather than causing the user to execute a local command, this attack induces the user to paste a localhost URL or authorization code generated through a legitimate Microsoft OAuth flow into an attacker-controlled page.
The purpose of ConsentFix is closer to account access and SaaS compromise than malware infection. Push Security explained that the attacker attempted to abuse the OAuth flow of the Azure CLI app to obtain access to the victim’s Microsoft account.
In other words, ConsentFix aims to hijack authentication and authorization protocol flows rather than execute malware inside the victim’s environment. Its purpose is to steal the victim’s authentication or authorization information and use it in subsequent attacks. This distinguishes it from ClickFix and other ClickFix variants.

PromptFix
PromptFix is a technique reported by The Hacker News in August 2025, citing research from Guardio Labs. According to The Hacker News, PromptFix is described as an AI-era ClickFix technique that uses fake CAPTCHAs or hidden prompts to induce agentic AI browsers or AI agents to perform unintended actions, such as clicking buttons, downloading files, or interacting with phishing pages.
PromptFix has a different threat model from traditional ClickFix, where a human user directly executes a command. In this case, the deceived entity is not the user, but the AI agent or AI browser that browses and acts on the web on the user’s behalf.
In other words, PromptFix can be viewed as a form of ClickFix attack in which the target shifts from a “human” to an “AI agent.” It induces the AI agent to download and execute malware, and the user may become infected without realizing it.

Evolution Timeline and Characteristics of Each Attack
The figure below shows the timeline of when each *Fix attack appeared.
The overall characteristics and flow of *Fix-family attacks are shown in the figure below.

Areas Exploited by Attackers
In *Fix-family attacks, attackers present victims with a problem that they feel they must solve. For example, the attacker may tell the victim that “CAPTCHA must be completed,” “the browser has crashed and needs to be restored,” “a path must be pasted to open a file,” “a command must be copied to install a CLI tool,” or “a localhost URL must be pasted to complete the OAuth flow.”
In the next stage, attackers use mediums such as clipboard manipulation, copy buttons, file upload windows, installation guides, browser extensions, OAuth redirection, or hidden prompts to make the user directly execute or transfer something.
Because these attacks are characterized by induced user behavior, they are difficult for defenders to block using only a single file hash, URL block, or network behavior detection. Ultimately, defenders must analyze the full behavior chain: browser entry point → user instruction → clipboard or copy action → execution of legitimate OS tools → network activity, persistence, or account access.
The table below summarizes the currently known damage cases associated with each *Fix attack.
Conclusion
Traditional malware distribution methods relied on web vulnerabilities and similar weaknesses to infiltrate user environments. Techniques such as drive-by download and malvertising were commonly used, and users became infected when visiting websites controlled by attackers. As companies and organizations improved their defenses against infection techniques such as drive-by download and malvertising, traditional malware distribution methods gradually disappeared from the landscape and are now rarely observed.
However, attackers have found another way to distribute malware. Social engineering techniques that began with spear-phishing emails are now evolving into Fix-family attacks such as ClickFix. All of the Fix-family attacks examined in this article are social engineering techniques that exploit user trust. From the defender’s perspective, this means that defending against every *Fix-family attack is not easy.
As attackers conduct more refined operations than before, defenders must also build more refined defense systems. In addition to defensive systems against standardized attack techniques, proactive defense systems capable of staying ahead of attackers will be needed.
References
[1] Proofpoint — Around the World in 90 Days: State-Sponsored Actors Try ClickFix
[2] mr.d0x — FileFix - A ClickFix Alternative
[3] Microsoft Security Blog — New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan
[4] Push Security — ConsentFix: Analyzing a browser-native ClickFix-style attack that hijacks OAuth consent grants
[5] Acronis TRU — FileFix in the wild! New FileFix campaign goes beyond POC and leverages steganography
[6] Huntress — ClickFix Attack: Variants, Detection & How It Works
[7] U.S. Department of Health and Human Services HC3 — ClickFix Attacks: Sector Alert
[8] Jean-Francois Maes — Bring your own Fix - Mr.D0x inspired variation of yet another fix attack
[9] Check Point Research — FileFix: The New Social Engineering Attack Building on ClickFix Tested in the Wild
[10] The Hacker News — Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts
[11] Push Security — InstallFix: Weaponizing malvertised install guides
[12] Trend Micro — InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
[13] Microsoft Security Blog — Think before you ClickFix: Analyzing the ClickFix social engineering technique
[14] CSO Online — Meet ConsentFix, a new twist on the ClickFix phishing attack
[15] HHS. (2024, October 29). ClickFix Attacks Sector Alert. U.S. Department of Health and Human Services.
[16] Microsoft Security Blog. (2026, February 5). New Clickfix variant ‘CrashFix’ deploying Python Remote Access Trojan.
[17] Picus Security. (2025, May 8). Interlock's ClickFix Trick: One Click, Total Data Compromise.
[18] The Hacker News. (2025, August 20). Experts Find AI Browsers Can Be Tricked to Execute Malicious Code.