ClickFix social engineering attacks have surged by 517% in the past six months, becoming the second most common vector behind only phishing, according to new ESET data. The report, published on June 26, found that this technique accounted for nearly 8% of all blocked attacks in H1 2025.
ClickFix is a social engineering that uses a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it. The tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. Therefore, it is effective at bypassing security protections as the victim infects themselves.
The technique was first observed by Proofpoint in March 2024, before exploding in popularity by the end of the year. The attack vector affects all major operating systems, including Windows, Linux and macOS.
The report noted that the effectiveness of the ClickFix approach has resulted in threat actors selling builders that provide other attackers with ClickFix weaponized landing pages. As the number of ClickFix variants has grown, so to have a variety of threats being delivered using this technique.
Jiří Kropáč, Director of Threat Prevention Labs at ESET, commented: “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors.”
A separate report published in June by ReliaQuest found that ClickFix was key in increasing detected drive-by-comprises by 10% during the period from March-May 2025.
For more information on solutions for running your businesses’ technology more efficiently, visit our website or contact Megan Meisner at mmeisner@launchpadonline.com or 813 448-7100 x210.
This was originally posted by InfoSecurity Magazine.