ClickFix: The Fake Error Pop-Up That Tricks You Into Hacking Yourself
A scam that launched in 2024 has grown into a thriving criminal marketplace. Researchers say standard antivirus tools are missing it almost entirely, and they have built a new detection method to fill the gap.

Key points
- ClickFix, a social-engineering attack that first appeared in 2024, now has full attack kits selling on criminal forums for $250 a month or $1,800 for a lifetime licence.
- Researchers at Reversing Labs tested a new detection rule against a 422-billion-sample library and found it caught at least 123 confirmed ClickFix attacks that every mainstream antivirus engine had missed.
- A January 2026 variant called "CrashFix", identified by Microsoft, deliberately crashes the victim's browser before showing a fake fix prompt.
- Reversing Labs is releasing their detection rule as free, open-source software that any security team can use.
- Beyond the tool-level fix, researchers say training staff to recognise fake browser updates and fake CAPTCHA checks is a meaningful layer of defence.
Imagine a pop-up appears on your screen. It looks exactly like a Windows error message. It tells you something has gone wrong and gives you step-by-step instructions to fix it: copy this command, open your terminal (the text-based control panel built into every computer), paste it in, press Enter. You do so. You have just handed control of your machine to a criminal.
That is ClickFix. Simple, effective, and spreading fast.
The attack works because it skips the part where a virus sneaks onto your computer. Instead, it tricks you into running the harmful code yourself. Because a real person pressed the keys, normal antivirus software, which looks for suspicious programs arriving uninvited, sees nothing alarming. From the computer's point of view, you ran a script. People run scripts all the time.
How did this become such a big problem so quickly?
ClickFix grew a business model around it. Complete attack kits, including regular software updates and features designed to slip past antivirus tools, now sell openly on criminal forums. Reversing Labs, the security firm behind the new research, found kits priced at $250 a month or $1,800 for a permanent licence. That pricing structure means a would-be criminal needs almost no technical skill. Pay the subscription, follow the instructions, launch the campaign.
The most common payload, meaning the harmful software that ultimately lands on a victim's machine, is Lumma Stealer, a program that quietly copies passwords, banking credentials, and browser cookies. But the Reversing Labs report documents a shift. Criminals are increasingly delivering RATs (remote-access trojans, software that lets an attacker control a computer as though they were sitting in front of it) rather than simple password-stealers. That is a significant escalation: it means attackers are moving from a quick smash-and-grab to long, quiet occupation of a victim's machine.
The attack keeps evolving, too. Microsoft spotted a variant called CrashFix in January 2026 that crashes your browser on purpose, then offers a fake repair prompt, making the victim more likely to follow instructions without thinking twice.
The detection fix Reversing Labs proposes is called YARA, a pattern-matching framework (think of it as a very precise search engine for malware characteristics) that examines the structure of the fake lure page itself, before any harmful command is ever run. Standard antivirus tools wait for a bad file to arrive. YARA, used this way, spots the trap before the victim steps into it. In testing against that 422-billion-sample library, the new rule flagged 123 real ClickFix lures that had slipped past every other scanner.
For ordinary employees, the practical warning is short: if any webpage or pop-up ever asks you to copy a command and paste it into your computer, stop. That request is the attack. No legitimate software update or browser fix works that way.
Security teams can also restrict PowerShell (a powerful command tool built into Windows that ClickFix relies on) from running freely, and monitor for unusual sequences of activity that suggest a command was copy-pasted rather than typed by an IT professional.
Train2Secure's awareness programmes cover exactly this kind of social-engineering trick, and running a simulated ClickFix drill before a real one lands is far cheaper than cleaning up after one.



