Fake CAPTCHA ClickFix Attacks: How Hackers Trick You Into Running PowerShell Malware (2026 Defense Guide)

Fake CAPTCHA ClickFix Attacks: How Hackers Trick You Into Running PowerShell Malware (2026 Defense Guide)

By Fanny Engriana · · 10 min read · 16 views

Educational disclaimer: This article describes a real-world attack pattern so you can recognize and avoid it. It is for defensive awareness only. Do not test these techniques on devices you do not own. If you suspect an active compromise, prioritize the recovery steps in the final section and consult a qualified incident response professional. This article does not constitute legal or financial advice.

The Fake CAPTCHA That Was Not a CAPTCHA

The page looked completely ordinary. A white Cloudflare-style box, a blue checkmark, a single line: "Verify you are human." But instead of a tickbox, it asked the visitor to press Windows + R, then Ctrl + V, then Enter — "to complete the verification." A junior dev on a partner team did exactly that on a Monday morning in March 2026. Within ninety seconds, his cookies, saved passwords, and active session tokens for three SaaS dashboards were on a server somewhere in Eastern Europe.

This is ClickFix. It is currently the fastest-growing initial-access technique against Windows home users and small-business endpoints, and it almost completely sidesteps antivirus. Microsoft's threat intel team published a dedicated analysis of the technique in August 2025. The U.S. Department of Health and Human Services issued a sector alert in early 2026. Trend Micro, SentinelOne, and Splunk all have active research on KongTuke and Amatera variants this year.

I have spent the past eleven years setting up and maintaining production access for client systems — ERP, hotel management, POS, AI-powered apps — and across our 7-site aggregator portfolio at Warung Digital Teknologi, browser hygiene is the single highest-leverage thing a non-technical user controls. ClickFix is so effective because it weaponizes the exact muscle memory people learn from legitimate CAPTCHAs. This guide is what I now walk every team member and family member through.

What ClickFix Actually Is — The Attack Chain in Plain English

ClickFix is a social engineering technique, not a single piece of malware. The malicious page convinces you to paste a command from your own clipboard into the Windows Run dialog, PowerShell, or Terminal. Because you press Enter, no browser download warning fires, no SmartScreen prompt appears, and the command runs with your full user privileges.

The chain on a typical 2026 campaign looks like this:

  1. Lure. A compromised WordPress site, a malvertising banner, or a fake "your software needs updating" pop-up redirects you to a fake verification page. KongTuke (tracked by Trend Micro) hijacks legitimate WordPress sites to host these lures, which is why the URL bar may show a domain you recognize.
  2. Clipboard injection. The page silently writes a long PowerShell or mshta command to your clipboard via JavaScript. You never see this.
  3. Instructions. The page tells you to press Win+R, then Ctrl+V, then Enter. Sometimes it shows a fake step counter ("Step 1 of 3 complete") to feel familiar.
  4. Execution. Your Run dialog executes a command that pulls a payload from a remote server. Recent variants in 2026 use the Donut framework to generate position-independent shellcode, signed Microsoft App-V scripts to evade some EDR rules, and deliver infostealers like StealC, Lumma, or Amatera, or remote access trojans like modeloRAT.
  5. Exfiltration. Within seconds, the stealer harvests browser cookies, saved logins, crypto wallet files, FTP/SSH keys from common locations, and Discord tokens. By the time you suspect anything, the data is already gone.

One detail that surprised me when I first read the Microsoft writeup: many ClickFix prompts include a long string of leading whitespace before the actual command. So when the victim glances at the Run dialog, all they see is something innocuous like verification-id-9F2A.... The real command is scrolled off-screen to the right.

Hands typing on a laptop in a dimly lit room representing a ClickFix paste attack in progress
The dangerous moment: a user pastes a command from a poisoned clipboard. No browser warning fires because the action is user-initiated. (Photo: Sora Shimazaki / Pexels)

Why Your Antivirus Probably Will Not Save You

Three reasons traditional AV struggles with this technique:

1. The execution is user-initiated. Defender, Bitdefender, and most consumer endpoint products treat commands typed (or pasted) into Run/PowerShell with much lower suspicion than commands spawned by a browser process. The decision to execute came from a human keystroke.

2. The payload is fileless or signed. Donut-generated shellcode runs in memory. The App-V variant uses a Microsoft-signed binary as the launcher, so allow-listing rules trust it. There is often no executable on disk to scan.

3. Living-off-the-land. The first-stage commands use powershell.exe, mshta.exe, curl.exe, or conhost.exe — all native Windows binaries. Behavioral rules tuned to flag every PowerShell launch produce too many false positives, so most consumer AV settings are tuned to be permissive here.

This is why ClickFix has spread so quickly. It is not a vulnerability in your software. It is a vulnerability in the verification habit your browser has trained into you.

Five Red Flags I Look For Now (After Auditing Our Team)

After the March incident on the partner team, I went through the browser histories of five team members across our infra. I found three near-misses that nobody had reported. Here are the patterns that consistently flagged the malicious pages, in order of how reliably they appeared:

  1. Any "CAPTCHA" that asks you to press keys outside the browser. Real CAPTCHAs from Google, Cloudflare, and hCaptcha never ask you to use the Windows Run dialog, paste into Terminal, or open PowerShell. If a verification step requires you to leave the browser, it is not a CAPTCHA. Period. This rule alone catches 100% of ClickFix attempts I have seen.
  2. "Press Win+R" or "Open Terminal" instructions on a webpage. No legitimate site needs you to do this. Not Adobe. Not Microsoft. Not your bank. Not an "updated codec" page.
  3. A "verification ID" that is suspiciously long. If the page shows a verification string that is hundreds of characters long, that is the obfuscated payload. Real verification tokens are short.
  4. WordPress sites with a fresh full-page overlay. KongTuke specifically hijacks WordPress sites you might visit for recipes, news, or how-tos. If a site you have visited before suddenly shows a full-page "security check" that you do not remember, close the tab immediately.
  5. Browser address bar pointing somewhere unexpected mid-CAPTCHA. Some campaigns redirect through 2–3 domains. If the URL changes during a "verification," that is not normal verification flow.

The single rule that protects 99% of users: verification happens inside the browser tab. If a page asks you to use Run, Terminal, or any keyboard shortcut that is not Tab/Enter, close the tab.

Defense Steps for Home Users (The Practical Checklist)

You do not need expensive software to block ClickFix. Most of the protection is configuration you can apply in under 30 minutes.

1. Disable the Windows Run dialog for non-admin users (where appropriate)

For family members, especially older relatives, this is the single highest-impact change. On Windows 11 Pro, open gpedit.msc → User Configuration → Administrative Templates → Start Menu and Taskbar → Remove Run menu from Start Menu. This does not disable PowerShell entirely; it removes the most common ClickFix landing point. On Home edition, you can use Microsoft App Control for Business to restrict script hosts.

2. Turn on PowerShell Constrained Language Mode for standard accounts

Constrained Language Mode prevents arbitrary .NET method calls, which kills the Donut shellcode trick. Microsoft documents this under about_Language_Modes. For day-to-day home use, this rarely breaks anything, because legitimate PowerShell scripts almost always run under an admin account.

3. Run a non-admin daily-use account

I have made this the default across our internal devices since 2023. Even if a ClickFix command does execute, it cannot install services, persist via scheduled tasks at the system level, or escalate without a UAC prompt that interrupts the chain. Setting up a separate admin account takes 10 minutes and pays for itself the first time anyone in the household clicks a sketchy link.

4. Use a browser with strong scripted-clipboard protection

Both Firefox and Brave require an explicit user permission before a webpage can write to your clipboard, and both surface a notification. Chromium-based browsers historically allowed silent clipboard writes from active tabs; check the Site settings → Clipboard permission in Chrome and Edge and set the default to "Don''t allow sites to see and change clipboard."

5. Enable Defender Attack Surface Reduction rules

The two ASR rules that meaningfully impact ClickFix are Block process creations originating from PSExec and WMI commands and Block execution of potentially obfuscated scripts. These are off by default on home installs. Microsoft documents the PowerShell command to enable them. They are conservative and rarely cause issues for normal users.

6. Install one of the major password managers, and use its autofill exclusively

1Password, Bitwarden, and Proton Pass autofill only on the exact origin where credentials were saved. If you land on a phishing clone, autofill silently fails. That mismatch is itself a warning signal — if your manager refuses to fill, the page is wrong.

7. Tell your family the rule out loud

I cannot overstate this. Every parent, partner, and grandparent in your household needs to hear, in plain language: "If a website ever asks you to press Windows+R, paste something, or open the Terminal, close the tab and call me." Print it. Tape it to the laptop lid if you have to. The technical controls fail eventually; the verbal rule does not.

What To Do If You Already Ran the Command

If you, or someone in your house, has already pressed Win+R, Ctrl+V, Enter on a suspicious page, assume browser data is gone. Time matters — the stealer typically completes its work in under two minutes.

First 15 minutes:

  • Disconnect the device from the network. Pull the Wi-Fi or unplug the cable.
  • From a different, trusted device, change the passwords for: your primary email, your password manager master password, online banking, and any work SaaS dashboards. Revoke all active sessions.
  • Rotate any cryptocurrency wallet seed phrases stored in browser extensions. Move funds to a fresh wallet.

First 24 hours:

  • Reset every password autofilled in your browser. The stealer dumps the entire Login Data SQLite file.
  • Re-enroll multi-factor authentication on critical accounts. Old TOTP seeds saved in browser extensions should be considered compromised.
  • Pull the Defender scan history (Settings → Privacy & security → Windows Security → Protection history) and look for blocked items.
  • Run a full offline scan with Defender (Microsoft Defender Offline scan) and a second-opinion scan with Malwarebytes free.

If the device handles work data, banking, or anything tied to your livelihood: reinstall Windows. I know this sounds extreme. Modern infostealers and RATs have persistence mechanisms that survive most cleanup tools. Backup your documents, reformat, reinstall from official media. CISA has a recovery checklist worth reading.

Why This Matters More for Small Business Owners

Across the 30-plus client engagements I have shipped through Warung Digital Teknologi, the pattern is consistent: the owner is also the IT admin, the bookkeeper, and the one person with access to every SaaS subscription the business uses. A single successful ClickFix on the owner''s laptop compromises the company''s email, hosting control panel, accounting software, payment processor, and customer database simultaneously.

The defense for a one-person business is not enterprise-grade EDR. It is the same checklist above, applied without exceptions, plus two business-specific items:

  • Separate the admin laptop from the daily-use laptop. If you have one machine for everything, the cost of one bad click is your entire business. A second cheap laptop dedicated to billing, hosting, and email administration is the most cost-effective security control most small business owners ignore.
  • Lock down hosting control panels with hardware MFA. Cookies for cPanel, hPanel, AWS console, and similar can be replayed. A YubiKey or Titan key on those accounts means a stolen cookie is useless without the physical token.

Authoritative Sources for Further Reading

  • Microsoft Security Blog — Think before you Click(Fix): Analyzing the ClickFix social engineering technique (August 2025): the original technical breakdown that named the technique.
  • U.S. HHS Sector Alert on ClickFix Attacks (TLP:CLEAR PDF): defensive guidance for the healthcare sector that applies almost identically to home users.
  • CISA — Stop Ransomware resources at cisa.gov/stopransomware: incident response and recovery checklists.
  • NIST SP 800-83 — Guide to Malware Incident Prevention and Handling: foundational guidance on contain/eradicate/recover steps.
  • Trend Micro Research — KongTuke ClickFix WordPress abuse analysis (March 2026).

Frequently Asked Questions

Will Microsoft Defender block ClickFix on a default Windows 11 install? Sometimes — particularly when the second-stage payload is a known stealer signature. But the technique is designed to bypass first-stage detection, and signed App-V variants reported in 2026 evade default rules. Defender alone is not sufficient; the user-behavior rule (close any tab that asks you to leave the browser) is the real defense.

Can ClickFix happen on macOS? Yes — the Mac variant uses Terminal instead of Run, and lures users into pasting a curl-pipe-bash command. CyberShieldTips has a separate guide on the macOS Mac Sync ClickFix variant; the recognition rule is identical: no legitimate site asks you to open Terminal.

Is ClickFix the same as a fake virus alert pop-up? Related but distinct. Fake virus alerts try to get you to call a phone number or install a fake antivirus. ClickFix is more sophisticated and runs an actual malicious command rather than relying on tech-support-scam follow-up.

Does using a Mac, Linux, or Chromebook protect me? Chromebook is the safest of the three for non-technical users because it cannot run arbitrary PowerShell or shell commands from a web prompt. Linux and macOS users are still targeted by the Terminal variant.

How do I know if I have already been compromised? Sudden logouts from accounts on other devices, unfamiliar password reset emails, or new OAuth grants on your Google/Microsoft accounts are the strongest early signals. Check Account security → Recent activity on every major account at least monthly.

The Single Rule Worth Memorizing

ClickFix works because verification habits make us press keys without reading them. Every defense in this guide is downstream of one rule: verification happens inside the browser tab. If a page asks you to use Windows+R, Terminal, PowerShell, or any system-level shortcut, close the tab. Tell your family. Tell your team. Print it on a sticky note. The technique will keep evolving — the rule will not.

Stay safe out there.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles