Cloud Security, Malware, Phishing

New ClickFix attacks feature ‘self-infection’ videos

Header graphic features a laptop with a red warning triangle and alert icons, dark background with streaming green code. It suggests concepts of cybersecurity threats, hacking, and system errors.

(Adobe Stock)

A new ClickFix attack looks like a legit bot check service that came from Cloudflare, but it’s a fraud that features an embedded instruction video and time counter to verify users in the last 30 minutes — all which serve to increase the sense of authenticity.

In a Nov. 6 blog post, Push Security researchers said the lure adapts to the victim’s device, serving up instructions specific to a user’s Mac, an attack that’s become increasingly common as ClickFix now supports different operating systems.

The researchers said that in 90% of the cases, the fraudulent pages also copy the malicious code to the user’s clipboard via JavaScript, setting the stage for infostealers and other malicious payloads to launch attacks.

"ClickFix isn't a prototype of what modern deception and social engineering attacks can blend into phishing: it’s now the gold standard,” said Mark St. John, co-founder and COO at Neon Cyber. “This is going to evolve more rapidly than we want to, or even be prepared for, into attackers leveraging more AI-generated video and voice with corporate-branded personas to add to the trust factor.”

St. John said he's see all kinds of variations: like an email followed by a phone call from the "IT Guy" hijacked personas in the corporate Slack channel, asking for a teammate's review of a document ASAP, or an invoice the CEO needs signed ASAP to meet a critical deadline.

Aaron Beardslee, manager of threat research at Securonix, added these video-based attacks are symptomatic of the major trends in social engineering.

Beardslee pointed out that ClickFix attacks surged 517% in the first half of 2025, accounting for nearly 8% of all blocked attacks, with threat actors now selling builders that provide weaponized landing pages to other attackers. Today, we're seeing the commoditization of sophisticated social engineering tactics, lowering the barrier to entry for less technical adversaries.

“This is huge for up-and-coming criminals who are looking for their first score, but don't know how to get the job done,” said Beardslee. “It's now commonplace with a lot of the more advanced techniques that were once only within the reach of the very best cyber criminals. Now, we have these techniques becoming more and more available — they are now a commodity. The ClickFix technique preys on users' desire to fix problems themselves rather than alerting IT teams, effectively bypassing security protections as victims infect themselves.”

An In-Depth Guide to Cloud Security

Get essential knowledge and practical strategies to fortify your cloud security.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

AdwareCloud ComputingGreynet

You can skip this ad in 5 seconds