ClickFix Explained: How the Fake CAPTCHA Actually Works

Added: 2026-05-16

[00:00:00]Last week, I walked through someone falling for click fix from the user perspective.

[00:00:05]It starts with something like a search for a free PDF editor, then you get presented with a fake CAPTCHA. When it can't confirm you're human, it prompts you to perform three simple keystrokes, and then the attack is complete. But here's what's actually happening at each step.

[00:00:21]The top search result is either a paid search ad by the attacker, a look-alike domain the attacker registered, or the real site that's been hacked and is injecting a fake CAPTCHA.

[00:00:32]Unfortunately, search engines miss a lot of these.

[00:00:36]Once on the site, the CAPTCHA is just the setup, and it's designed to look familiar and build trust. The Cloudflare branding, the I'm not a robot checkbox, the whole layout looks legit, but it's not a real CAPTCHA.

[00:00:48]The purpose of the I'm not robot checkbox is to get you to execute JavaScript that silently copies a long line of text into your clipboard when you click it.

[00:00:58]You never see it happening.

[00:01:00]The verification incomplete message gets you to perform the next step.

[00:01:04]The whole point is to get you to paste that hidden text somewhere it would run.

[00:01:09]So pressing Windows R opens a small dialog box called run on Windows.

[00:01:14]Pressing control V paste that text into the run box, and when you hit enter, it executes it. So the gibberish in the run box is a command for PowerShell, a tool built into every Windows machine. It can run code, download files, and connect to remote servers. Your command fetches malware from the attacker server and runs it directly in memory. Nothing's even saved to your hard drive.

[00:01:37]When the page says verified and shows you the PDF editor download, that's to make you think everything's fine, even if you were suspicious.

[00:01:45]Sometimes the PDF editor is real, the page actually gives you what you came for, so you don't notice anything's off.

[00:01:51]By the time you double-click the installer, the malware is already running on your computer.

[00:01:57]Maybe it's an infostealer, a remote access tool, whatever the attacker decided to load that day.

[00:02:03]Click ClickFix attacks jumped over 500% in the first half of 2025.

[00:02:09]And the trick fools technical people, too. Earlier this year, fake install pages for Claude code and other AI developer tools got developers to paste commands that handed over their GitHub tokens, SSH keys, and cloud credentials.

[00:02:23]Rule of thumb, never paste a command from a webpage.

[00:02:27]Not for a CAPTCHA, not to fix a browser, not to install free software. If a site tells you to hit command R or control R, and then paste something in, it's definitely a scam.

[00:02:40]And ultimately, you might not fall for this, but I think we all know someone who might.