threat level: human

~ / episodes / ep01

Click, Paste, Compromised: How ClickFix Turns Victims Into Their Own Attackers

EP01| 2026-05-27| cybersecurity briefing

// TL;DR

  • ClickFix shows a fake 'fix this error' prompt that asks the user to paste a command.
  • The pasted command is malware; the user runs it with their own permissions.
  • No exploit is needed because the human does the install.
  • Defense: never run a command a web page hands you, and lock down clipboard-to-shell habits.

What happened

ClickFix is one of the cleanest examples of why people are the unpatchable attack surface. There is no software vulnerability to exploit. Instead the attacker presents a convincing error message, often styled to look like a browser, a CAPTCHA, or a document viewer, and tells the visitor that they can resolve it by running a quick command.

The page helpfully copies that command to the clipboard for you. The instructions then walk the user through opening a terminal or the Windows Run dialog and pasting it in. The command pulls down and executes a payload, and the machine is compromised. The user did the install themselves, which is why endpoint defenses that watch for unusual downloads often miss it.

What makes ClickFix effective is the framing. People are conditioned to follow fix-it steps, and the instruction to copy and paste feels procedural rather than dangerous. The attacker borrows the authority of a real-looking interface and lets the victim's own habits do the rest.

The fix is a single durable rule: a web page should never need you to run a command to view a page or prove you are human. If you are ever asked to paste something into a terminal, a Run box, or PowerShell, treat the page as hostile and close it. For teams, that rule belongs in onboarding, and clipboard-to-shell monitoring belongs on the endpoint.

If a web page ever asks you to copy a command and run it to 'fix' something, stop. That is the entire attack.

How to defend against it

The through-line of every threat level: human briefing is the same: the exploited control is human, so the durable defense is a habit, not just a product. Watch the full breakdown above, and subscribe on YouTube for the weekly decode.

<- back to all episodes