ClickFix attacks that bypass cyber controls on the rise
NCC’s monthly threat report details the growing prevalence of ClickFix attacks in the wild
So-called ClickFix or ClearFake attacks that bypass security controls and use unwitting victims to execute a cyber attack of their own accord are surging at the end of 2025, even outpacing phishing or clickjacking attacks, according to NCC Group’s latest monthly threat report.
First identified a couple of years ago, ClickFix attacks flooded the threat landscape during 2024, and their volume surged by over 500% in the first six months of 2025, said NCC.
Rather than relying on automated exploits or malicious attachments, ClickFix attacks exploit human fallibility by convincing their targets to manually execute attacks using tools like PowerShell, Windows Run box, or other shell utilities after luring them to compromised websites promising fake prompts that instruct them to copy a command into their Run dialogue or PowerShell window.
NCC said such attacks represent a marked shift in social engineering because the victims are acting entirely voluntarily – this is in contrast to phishing attacks in which the deception ends once credentials have been submitted, or clickjacking, where victims unknowingly engage.
“This shift challenges traditional detection models as the command originates from a trusted user process, rather than an untrusted download or exploit chain,” wrote the NCC team.
“Understanding and mitigating ClickFix attacks is crucial because it can bypass conventional defences,” they said. “Email filters, sandboxing and automated URL analysers cannot always flag a malicious action that is conducted manually by an end user. Once the payload is executed, attackers can deploy RATs, enabling persistence, credential harvesting and eventual ransomware deployment.”
Financially motivated cyber criminals have been quick to climb on board the ClickFix wagon, many of them operating in larger access broker ecosystems to sell on compromised endpoints to ransomware gangs.
The report details a number of such targeted ClickFix operations. One campaign, active from April 2025 until just a couple of months ago, targeted the hospitality sector and duped employees into spreading infostealer malware across multiple hotel chains. This campaign used the PureRAT remote access trojan (RAT) to steal the hotels’ Booking.com credentials and conduct downstream email and WhatsApp phishing attacks against guests.
Another campaign, run by Kimsuky, a North Korean state threat actor, prompted its victims to copy and paste bogus authentication codes into PowerShell after posing as a US national security aide trying to set up meetings on South Korean issues.
Defending against ClickFix attacks is largely a matter of attempting to cut down on an organisation’s exposure to malicious lures and deceptive landing sites by incorporating tools such as URL filtering, domain reputation controls, web-filtering and sandboxing. Tightening endpoint execution environments is also a must, as is strengthening user awareness and instructing all employees to treat any unsolicited copy-paste instruction as an attempted cyber attack.
Ransomware stats
The growth in ClickFix attacks came amid a plateauing of general cyber attack volumes during the past few weeks, with tracked ransomware hits falling 2% in November, NCC found.
The Qilin operation held firm as the most active gang observed in NCC’s telemetry, accounting for 101 attacks, followed by Cl0p with 98, Akira with 81, and INC Ransom with 49.
Additionally notable in November was the DragonForce gang – NCC attributed 19 attacks to it during the period, although it has claimed many more itself – which became one of the more prominent active cyber gangs this year thanks to its reliance on collaboration with highly skilled affiliates, among them Scattered Spider, the hacking collective that hit Marks & Spencer, among many others.
Although collaboration between threat actors is nothing new, NCC said that DragonForce’s activity showed how gangs can maximise such strategies to strengthen their capabilities.
This said, at the same time, DragonForce has also taken something of a sledgehammer to the concept of honour among thieves. In May, it was observed hacking and defacing the data leak sites of rival gangs, and at one point initiated a hostile takeover bid of the RansomHub crew.
NCC said this competitiveness may reflect the lowering of technical barriers to participation in the cyber criminal ecosystem. Attacking competitors, it suggested, may form part of a deterrence strategy to keep newcomers from establishing themselves.
Don’t be complacent
“Business leaders cannot afford to become complacent,” said Matt Hull, NCC global head of threat intel. “Threat groups are rapidly evolving, sharing tools and techniques, and already exploiting the festive period, when vigilance often drops.
“With the new Cyber Security and Resilience Bill and high-profile breaches at M&S, Co-op and JLR [Jaguar Land Rover] this year, organisations are under growing scrutiny to prove they have robust defences and incident response plans in place,” he added.
“As the holidays approach, staying alert to suspicious activity and strengthening security posture is as important as ever.”
Read more on Data breach incident management and recovery
NCC: How RaaS team-ups help Scattered Spider enhance its attacks
By: Alex Scroxton
Ransomware activity levelled off in July, says NCC
By: Alex Scroxton
Ransomware attack volumes up nearly three times on 2024
By: Alex Scroxton
Scattered Spider tactics continue to evolve, warn cyber cops
By: Alex Scroxton
