// ACTIVE THREAT · 2026

The fake CAPTCHA that runs malware on your PC

ClickFix is the #1 browser attack chain of 2026. You land on a page, see a familiar "Verify you're human" box, click it, and the page asks you to press Win+R and paste a line of text. That line is PowerShell malware. You end up infecting your own machine. SafeBrowz blocks the delivery sites before the click, flags the instruction text on pages we have never seen before, and (on Premium) catches the silent clipboard swap that makes the trick work.

Add to Chrome Firefox Edge See how it works

Works on Chrome, Firefox and Edge. 420+ brands protected. AI content analysis in 100+ languages.

What ClickFix actually is

ClickFix is a social engineering attack disguised as a CAPTCHA. You open a page (often a cracked software site, a fake Cloudflare check, a YouTube video description link, or a search result for a common error message). The page shows a CAPTCHA box that looks like the real thing. You click "Verify you are human." Instead of a checkmark, you get instructions:

  1. Press Windows + R on your keyboard.
  2. Press Ctrl + V to paste the verification code.
  3. Press Enter to complete the check.

The page silently wrote a command to your clipboard the moment you clicked. When you paste into the Run dialog, you are running a PowerShell or mshta command that downloads a second-stage payload: infostealers like Lumma, RedLine, or StealC, crypto wallet drainers, or remote access trojans. It is called ClickFix because the attacker frames the malware as a "fix" for a broken CAPTCHA, and you run it yourself.

Why it works on smart people

  • CAPTCHAs are background noise. You solve them ten times a day. Your brain does not read them any more, it just clicks.
  • The instructions look like troubleshooting. Press Win+R, paste, Enter. That is a normal IT support pattern. Nothing in it screams "malware."
  • Windows Defender does not block it. You are the one running the command. From the OS point of view, a human opened Run and typed something. That is not an exploit, that is normal usage.
  • Patches do not help. ClickFix is 100% social engineering. A fully updated Windows 11 machine with every security patch installed is just as vulnerable as a Windows 7 box, because there is no bug being exploited.

What SafeBrowz does about it

Three layers. The first two are free forever. The third is Premium.

1. Domain blocklist

Every ClickFix delivery domain we or our threat feeds have seen is on a blocklist that refreshes every 6 hours. If you click a link to a known ClickFix page, SafeBrowz blocks the load before the CAPTCHA ever renders. No click, no clipboard poison, no paste.

2. Content pattern detection

New ClickFix domains pop up every day. For pages we have never seen, SafeBrowz scans the rendered content and flags the tell: a CAPTCHA box combined with instructions to press Win+R, open Run, open Terminal, or paste into PowerShell. AI content analysis reads the page in 100+ languages and warns before you interact.

3. Clipboard hijack guard (Premium)

ClickFix works because the page writes to your clipboard without you hitting Ctrl+C. Premium users get a guard that detects unprompted clipboard writes and blocks the paste until you confirm. If you did not copy anything, nothing goes into Run.

4 signs you are looking at a ClickFix page

  1. The CAPTCHA tells you to press Win+R, open Terminal, or run a PowerShell command. Real CAPTCHAs never do this.
  2. The page says the captcha "failed" and you need to run a "verification script," "human check script," or "browser update."
  3. The URL looks close to a real brand but you did not sign up there, did not search for it, and arrived from a random link, ad, or video description.
  4. You check your clipboard and it contains something starting with powershell.exe, mshta.exe, cmd.exe /c, curl, or certutil. That is malware, not a captcha token.

What to do if you already ran the command

Assume infection. Move fast.

  1. Disconnect from the internet. Unplug ethernet, turn off Wi-Fi. Stops data exfiltration in progress and cuts the remote access channel.
  2. Full antivirus scan. Run Microsoft Defender Offline scan plus Malwarebytes. Do it from Safe Mode if you can.
  3. Change every password you used in the last 24 hours. Do it from a clean device, not the infected one. Start with email, then banking, then crypto exchanges, then everything else.
  4. Revoke active sessions and move crypto. Log out of every active session on Google, Microsoft, GitHub, exchanges. If you held crypto in a hot wallet on that machine, move the funds to a new wallet from a clean device. See our wallet guard guide for drainer recovery steps.
  5. Watch bank and crypto accounts for 48 hours. Infostealers sell credentials within hours. Watch for unknown logins, outgoing transfers, new API keys, or 2FA reset emails.

Frequently asked questions

Does SafeBrowz work on Mac?

Yes. ClickFix is Windows-focused because it abuses the Run dialog, but the delivery site is a web page, and that is what SafeBrowz blocks. Chrome, Firefox and Edge on macOS get the same domain blocklist and pattern detection. A Mac user who lands on a ClickFix page sees the block screen just like a Windows user.

Does the free tier protect against ClickFix?

Yes. Domain blocklisting and on-page pattern detection are free forever. That catches the overwhelming majority of ClickFix attempts, because the trick only works if the page loads and you read the instructions. The Premium clipboard hijack guard is the extra safety net for new delivery domains we have not yet seen.

I visited a ClickFix site but did not press Win+R. Am I safe?

Yes. ClickFix cannot execute code just by you viewing the page. It needs you to open the Run dialog (or Terminal) and paste the clipboard contents. If you closed the tab before doing that, nothing ran. Clear your clipboard to be safe (copy any innocuous text), and you are done.

More writeups on ClickFix tactics and indicators on the SafeBrowz blog, including the deep-dive Fake CAPTCHA ClickFix post.

Block ClickFix before the click

Free forever on Chrome, Firefox and Edge. 420+ brands protected, AI content analysis in 100+ languages, clipboard hijack guard on Premium.

Add to Chrome Add to Firefox Add to Edge

Back to safebrowz.com