ClickFix: An Adaptive Social Engineering Technique

This report from CIS CTI analyzes the 2025 rise of the ClickFix technique, where attackers hijack legitimate sites to display CAPTCHA/Turnstile gates and fake error messages that trick users into copying and executing obfuscated PowerShell or shell commands, resulting in malware delivery. Observed campaigns led to ransomware (including an Interlock incident against a U.S. SLTT), info-stealers like Lumma, NetSupport RAT abuse, and fake browser updates delivering SocGholish, with related DPRK “ClickFake Interview” activity noted. The report provides detailed defensive recommendations including restricting and auditing PowerShell, WDAC policies, allowlisting, DNS/domain blocking (MDBR), IDS (Albert), MDR, antivirus, and security awareness training.