惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Securelist
C
Cybersecurity and Infrastructure Security Agency CISA
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
Hacker News: Ask HN
Hacker News: Ask HN
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
C
Cyber Attacks, Cyber Crime and Cyber Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
MyScale Blog
MyScale Blog
月光博客
月光博客
W
WeLiveSecurity
T
Threat Research - Cisco Blogs
Martin Fowler
Martin Fowler
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Recorded Future
Recorded Future
The GitHub Blog
The GitHub Blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
TaoSecurity Blog
TaoSecurity Blog
P
Proofpoint News Feed
Google DeepMind News
Google DeepMind News
F
Full Disclosure
U
Unit 42
Jina AI
Jina AI
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
L
LINUX DO - 最新话题
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
T
Troy Hunt's Blog
腾讯CDC
T
Threatpost
H
Hacker News: Front Page
P
Palo Alto Networks Blog
博客园 - 聂微东
Last Week in AI
Last Week in AI
有赞技术团队
有赞技术团队
Help Net Security
Help Net Security
L
LINUX DO - 热门话题
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Spread Privacy
Spread Privacy

Check Point Blog

AI Appreciation Day: Let's Be Honest About What We're Appreciating - Check Point Blog AI Security Is Never Finished: Building the Continuous Red Teaming Loop  - Check Point Blog AI Security Threats in 2026: Annual Insights from Check Point Research - Check Point Blog AI Agents are Only As Effective as Their Harness - Check Point Blog Email Agent Hijacking: The Hidden Threat That Breaks Post-Delivery Security - Check Point Blog How Check Point Email Security Stopped a Student Job Scam Before It Reached the Inbox - Check Point Blog Redefining the CISO Contract: From Securing the Business to Securely Doing Business - Check Point Blog A New Ransomware Leader Emerges as June 2026 Attack Volumes Climb Worldwide How Unified Policies Close Security Gaps - Check Point Blog Under Pressure: Insights from the 2026 Exposure Gap Report - Check Point Blog When AI Invents the Attack: Browser-Native Ransomware - Check Point Blog Check Point and the AWS European Sovereign Cloud: Securing Europe’s Digital Future - Check Point Blog Shadow AI Is Not a Tool Problem. It's a Timing Problem. - Check Point Blog AI Is Changing Cyber Careers. NICE 2026 Showed What Students Need Next - Check Point Blog 90% of the World's Businesses are SMEs and MSMEs and AI Is Reshaping Both Their Future and Their Risk - Check Point Blog Prevention Before the Inbox: Reading the Microsoft Defender Benchmark Report in Context - Check Point Blog From Prompt Testing to AI Red Teaming at Enterprise Scale - Check Point Blog AI Has Moved From Assistance to Action. Is Your Security Model Ready? AI Security Governance: How to Secure AI Agents, Copilots, and Autonomous AI in 2026 - Check Point Blog OpenAI Frontier AI Models Powering Check Point's Leading Cyber Security Solutions The Operational Reality of Zero Trust- And How You Can Change It - Check Point Blog Amazon Prime Day 2026: Bargains Begin June 23 — and So Do the Scams - Check Point Blog Securing AI Agent Behavior with Amazon Bedrock AgentCore and CheckPoint AI Security - Check Point Blog What Successful Exposure Management Deployments Had in Common in 2026 - Check Point Blog From Stars to Upvotes: The Fake Reputation Economy Behind a Crypto Clipboard Hijackers - Check Point Blog AI Red Teaming Makes the Unknowns Known - Check Point Blog Check Point and Illumio Expand Partnership to Secure Hybrid Environments - Check Point Blog The NCSC Patch Wave Is Coming. Do You Know Where Your Risk Lives? - Check Point Blog NCSC Warns of AI-Driven Patch Wave: Is Your Attack Surface Ready? Energy, Healthcare, and Finance: Why Midwest Industries Are Facing Surging Cyber Attacks - Check Point Blog Midwest Cyber Attacks Surge in 2026: Energy, Healthcare, and Finance Under Growing Threat Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years. Here's What Cyber Criminals Are Actually Doing - Check Point Blog Travel Phishing Scams Surge 122%: How Cybercriminals Are Targeting Travelers in 2026 The AI Your Security Team Can’t See Is the One You Should Worry About Check Point Engage Public Sector 2026: AI Is the New Battlefield Check Point Joins OpenAI’s Trusted Access for Cyber Program and Daybreak Initiative When Your AI Agent’s Memory Becomes a Security Liability AI Agents Are Becoming Enterprise Workers. Who Secures Them? Global Cyber Attacks Ease in May 2026, But Ransomware Surges 48% As Threats Reorganize Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751) Fraud, Ransomware, and Fake Apps Are Already Targeting FIFA 2026 The AI Defense Plane: Securing the New Enterprise Execution Layer The Meta AI Account Recovery Incident Wasn’t Just a Chatbot Problem Check Point Lays the Groundwork for the Future of AI Factory Security with NVIDIA - Check Point Blog Check ... The 2026 U.S. Midterms Have a Cyber Problem, But it’s Not at the Ballot Box The Server Seizure That Affects Also Iran’s Cyber Operations The Autonomous Security Platform Built for Attacker Speed Check Point Frontier AI Models Readiness Program – Security Update 2026 Cloud Security Report: Why Traditional Network, Cloud, and Security Architecture Are Lagging Behind t ... AI Attacks Are No Longer Experimental: Key Findings from the March-April 2026 AI Threat Landscape - Check ... Protect GenAI Chatbots with Check Point WAF The Network Security Problem No One Could Solve – Until Now. Hacktivists, Ransomware, and a 124% Surge Across DACH The Case for a Vulnerability Operations Center Before the First Whistle: How Cyber Criminals Are Targeting World Cup 2026 - Check Point Blog World Cup 20 ... When the Ransomware Gang Gets Hacked: What the Gentlemen Leak Reveals About Modern Ransomware Risk - Check ... Cyber Threats Spike in April 2026 as Ransomware Expands and Attack Volumes Climb After Short-Lived Moderation Q1 2026 Ransomware Report: Fewer Groups, Higher Impact - Check Point Blog World Password Day 2026: Why "Strong Passwords" Can’t Save You from AI, Infostealers, and the Telegram Underground - Check Point Blog Resilient by Design: When the Network Itself Becomes the Target AI Threat Readiness: Defending Against Attacks Powered by Frontier AI Models Check Point Cyber Security Now Available Across All Levels of U.S. Government - Check Point Blog Check Poi ... VECT Ransomware: Why Paying Won’t Get Your Files Back Check Point WAF Leads Application Security-Validated by Frost & Sullivan Check Point WAF Leads Application ... From Access Control to Outcome Control: Securing AI Agents with Check Point and Google Cloud Experience AI-Powered Check Point Firewall at Google Cloud Next AI Finds Every Gap: How Many Can Your Network Survive? The Gentlemen RaaS Is Surging in 2026 The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point of Choice World Quantum Day 2026: The Harvest Has Already Begun, Are You Prepared? Why Manufacturing Cyber Security is Becoming More Complex as Cyber Attacks Accelerate March 2026 Cyber Threat Report: Ransomware & GenAI Risk PS Private Training: Turning Cyber Complexity into Operational Control Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance Claude Mythos Wake-Up Call: What AI Vulnerability Discovery Means for Cyber Defense Iran-nexus Password Spray Campaign Targeting Cloud Environments, with a Focus on the Middle East ROI of Hybrid Mesh Network Security (IDC Study 2026) Operation TrueChaos: TrueConf Zero‑Day Supply‑Chain Attack ChatGPT Data Leak (Fixed Feb 2026): Key Takeaways Spring Cleaning Has Arrived: Meet the New Check Point Portal Experience North America’s Cyber Security Threat Reality in 2026
ClickFix: The Attack That Turns Users Into Their Own Attackers - Check Point Blog
lizwu@checkpoint.com · 2026-06-25 · via Check Point Blog

ClickFix has quickly become one of the most prevalent social engineering techniques on the web. The attack flips a familiar security assumption on its head: instead of slipping a malicious file past endpoint defenses, the attacker convinces the victim to run the payload themselves. No exploit. No malicious attachment. Just a user, a clipboard, and a convincing prompt.

To address this growing threat, the ThreatCloud AI team built a new detection engine, now integrated into Check Point’s Gateways (Zero-Phishing Blade), Email Security and Browse Security.

The ClickFix Threat

ClickFix attacks open with a familiar-looking prompt, a fake CAPTCHA, a Cloudflare verification screen, or a “browser update required” notice. The lure is convincing because it borrows the visual language of real security checks. The pattern is always the same: the victim is presented with a convincing prompt that requires them to take a few steps on their computer to “fix” something. Those steps end with the victim opening the Windows Run dialog, pasting a command from their clipboard, and hitting Enter.

What makes this so effective is that no exploit is involved, the user runs the payload themselves. Endpoint protection tools see a command launched by explorer.exe after a manual paste, a pattern that looks indistinguishable from legitimate user activity. 

Attackers deliver ClickFix through two main methods. Some create dedicated sites impersonating known brands or generic verification pages. Because the domain has no history, traditional reputation systems sometimes catch it, but only after the campaign has run for a while and signals accumulate.
Others compromise legitimate, trusted websites and inject a ClickFix overlay. In those cases, the domain is years old, has a clean reputation, and serves real content alongside the attack. Reputation-based defenses see nothing wrong, and most traditional defenses miss it. 

In both cases, catching ClickFix requires looking at the page itself, at the behavioral indicators of the attack, independently of where it is hosted. 

Introducing the ClickFix Engine 

The ClickFix Engine is a multi-layered AI detection system that analyzes web pages for the behavioral fingerprint of a ClickFix attack. It analyzes the page’s HTML for behavioral signals: fake verification prompts, “open terminal” instructions, clipboard copy APIs, and more. 

The engine operates in multiple stages. After analyzing the behavioral patterns, a deeper AI inspection layer analyzes the full-page content and identifies social engineering tactics. The result is consistent detection regardless of the host domain reputation or use of evasion techniques. Here’s what that looks like in practice. 

Case Study 1 – Tax-Season Impersonation Campaign 

In April 2026, the engine detected a coordinated campaign of five newly registered domains, all registered within the same week, all branded as “Pacific Crest Tax Advisors”. The timing was deliberate, the campaign launched in the U.S. tax filing period, exploiting a time when IRS impersonation scams are at their peak. 

The ClickFix page prompted victims to complete a “verification step”, which silently copied a multi-stage PowerShell payload to their clipboard. Pasting and running it, as the page instructed, would trigger a chain of actions: first downloading a malicious file from a trusted content delivery service, then installing it silently on the machine. The command was deliberately disguised to bypass security scanners, both using a well-known URL to download the malicious file, and the command was splitting its instructions across multiple variables to evade signature-based detection.  

The ClickFix Engine caught all five domains on day zero, before any reputation signals had accumulated!  

Case Study 2 – Catching ClickFix on a Trusted Website 

The second case tells a different story. Same attack, very different infrastructure. In April 2026, the engine flagged two unrelated French websites: vertsport.com, a sportswear retailer active since 2007, and materlo.com, a PrestaShop shop selling automotive tools. Both had clean reputations, valid SSL certificates, and years of legitimate activity. Nothing about either site would raise a flag. 

Both had been quietly hijacked. Hidden inside their product and blog pages was a fake Cloudflare verification prompt, identical on both sites, pointing to the same attacker-controlled server. Visitors who followed the “verification” steps would unknowingly run a payload that disabled Windows Defender and installed malware disguised as WebRTC driver, all while browsing what looked like a perfectly normal website. 

Because the engine inspects the behavior of the page rather than the reputation of the domain, it flagged both sites. The engine analyzed the page’s HTML and detected multiple behavioral signals characteristic of a ClickFix attack: a fake verification prompt, clipboard copy instructions, and system command execution patterns. With enough signals matching simultaneously, it returned a high-confidence malicious verdict, regardless of how trusted the hosting domain was. 

Preventing ClickFix Going Forward 

ClickFix is evolving fast. We have already detected coordinated campaigns impersonating trusted brands, compromised well-known legitimate websites, and new lure variants designed specifically to bypass traditional defenses. Attackers are investing heavily in making these pages look more convincing and harder to detect. 

The ClickFix Engine evolves with the attack. Because it inspects the behavioral fingerprint of the page rather than any single static feature, new lures and obfuscation techniques get caught regardless of how the attack is dressed up.