ClickFix malware tricks you into infecting your own Windows PC

It fools you into running malicious commands on your own computer, and the attack is now more common than ever. Hackers are getting people to install password-stealing malware by making them press a series of keyboard shortcuts, all under the pretense of proving they're not bots. 

Bots are automated computer programs that perform repetitive tasks online, often mimicking human behavior. By tricking you into proving they're not bots, hackers exploit your lack of understanding about these automated systems to make you unwittingly install malware.

The scam begins when you visit a hacked or malicious website and see a fake CAPTCHA-style prompt. Clicking the "I'm not a robot" button triggers a set of instructions asking you to press specific keyboard shortcuts. First, you are told to press Windows + R, which opens the Windows Run dialog. Then you are instructed to press CTRL + V, which pastes a malicious script copied from the website's virtual clipboard. If you press enter, a script is executed that downloads and runs malware. 

Cybercriminals are using phishing emails and malicious websites to spread ClickFix. The hospitality industry has been heavily targeted, with attackers impersonating Booking.com and sending fake emails referencing guest reviews or promotions. Clicking on links in these emails directs you to a ClickFix trap. Healthcare workers have also been targeted, with malicious code embedded into the widely used physical therapy site HEP2go. 

To protect yourself from the evolving threat of ClickFix malware, which continues to target users through sophisticated social engineering tactics, consider implementing these six essential security measures.

1. Be skeptical of CAPTCHA prompts: Legitimate CAPTCHA tests never require you to press Windows + R, copy commands or paste anything into PowerShell. If a website instructs you to do this, it's likely a scam. Close the page immediately and avoid interacting with it.

2. Don't click links from unverified emails and use strong antivirus software: Many ClickFix attacks start with phishing emails that impersonate trusted services like Booking.com or Google Meet. Always verify the sender before clicking on links. If an email seems urgent or unexpected, go directly to the company's official website instead of clicking any links inside the email.

ClickFix is a reminder that malware doesn't always rely on complex exploits. It often just needs you to follow the wrong instructions. Attackers are refining their methods, making scams like fake CAPTCHAs, phishing emails and deceptive pop-ups more convincing than ever. The best way to stay ahead is to question anything that seems even slightly off. If a website asks you to run commands or paste something into PowerShell, it's a red flag. If an email pressures you into clicking a link, verify it first.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.