Unmasking the New Click-Fix Variant: Tactics, Techniques, and Defense

Social engineering remains the most reliable weapon in a threat actor's arsenal. While sophisticated vulnerabilities grab the headlines, it is often the simple manipulation of human psychology that breaches the perimeter. The Threat Research Center has recently highlighted a resurgence and evolution of the "Click-Fix" scam, a variant that has grown significantly more deceptive and dangerous.

The Evolution of Deception

At its core, the Click-Fix attack is a form of technical support scam. Users are presented with a fabricated crisis—usually a browser error message, a fake "Blue Screen of Death," or a flashing virus alert—urging them to call a toll-free number or click a "Fix" button immediately.

Historically, these scams were riddled with poor grammar and obvious pixelation. The new variant, however, leverages advanced HTML injection and legitimate-looking infrastructure to mimic genuine system notifications. This isn't just a pop-up; it is a carefully crafted UI overlay designed to bypass ad-blockers and trick even security-conscious users.

Deep-Dive Analysis: The Attack Chain

Understanding the mechanics of this new variant is crucial for defense. The attack typically follows a multi-stage chain:

1. Initial Access via SEO Poisoning

Threat actors compromise legitimate websites or utilize malicious SEO campaigns to drive traffic to landing pages hosting the malicious script. Unlike traditional malvertising, these pages often host generic content, making static analysis difficult.

2. The Malicious Script

Once the user lands on the page, a JavaScript payload executes. Instead of a standard alert, this variant uses a full-screen overlay that mimics the specific browser UI (Chrome, Edge, or Firefox) being used. It locks the browser viewport, preventing the user from closing the tab easily.

3. The Payload Delivery

The "Fix" button typically triggers a background download. In recent observations, this button initiates a PowerShell command or downloads a signed (but stolen) binary to bypass application allow-listing. The ultimate goal varies from info-stealing (redline, vidar) to deploying remote access trojans (RATs) for persistence.

Technical TTPs

• Living off the Land (LotL): The abuse of PowerShell and legitimate system utilities (like mshta.exe) to blend in with normal traffic.
• Obfuscation: Heavy use of Base64 encoding and string concatenation within command line arguments to evade signature-based detection.
• Browser Fingerprinting: The script checks the user-agent string to serve the specific fake UI relevant to the victim's browser, increasing the illusion of legitimacy.

Detection and Threat Hunting

Defending against Click-Fix requires a combination of user vigilance and robust telemetry. Security Operations Centers (SOCs) should hunt for the specific behaviors associated with the payload execution phase.

KQL Queries for Microsoft Sentinel/Defender

The following query helps identify PowerShell processes spawned by a browser—a highly suspicious behavior indicative of this attack vector.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe")
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
| where ProcessCommandLine has_any ("DownloadString", "IEX", "Invoke-Expression", "FromBase64String")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc

PowerShell Hunting Script

Use this script on suspected endpoints to check for persistence mechanisms often left behind by Click-Fix payloads, such as suspicious Scheduled Tasks.

# Check for Scheduled Tasks running PowerShell with encoded commands
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like '*powershell*' -or 
    $_.Actions.Execute -like '*pwsh*'
} | Select-Object TaskName, @{N='Command';E={$_.Actions.Arguments}}, State | 
Where-Object { $_.Command -match 'EncodedCommand' -or $_.Command -match 'DownloadString' }

Mitigation Strategies

To protect your organization from this evolving threat, implement the following layered defenses:

1. Attack Surface Reduction (ASR) Rules: Enable the ASR rule "Block all Office applications from creating child processes" and "Block JavaScript or VBScript from launching downloaded executable content." While Click-Fix is browser-based, many variants cross-pollinate with Office macros.
2. Browser Configuration: Enforce strict browser policies via Group Policy. Disable the ability for users to download and install arbitrary extensions, and force Safe Browsing features to the maximum security setting.
3. URL Filtering: Implement advanced DNS or web proxy filtering to block known malicious domains associated with these campaigns. Maintain a blocklist of keywords often found in the fake support URLs (e.g., "tech-support", "fix-pc-now").
4. User Awareness: Train employees to recognize the "Lock"—if a browser tab refuses to close, do not interact with the on-screen buttons. Instruct them to use Task Manager (Alt+Ctrl+Delete) to terminate the browser process immediately.

Conclusion

The new Click-Fix variant demonstrates that attackers are investing heavily in the user experience of their deceptions. It is no longer enough to rely on spotting obvious scams. By combining technical detection—hunting for browser-spawned PowerShell—with strategic policy enforcement, organizations can effectively neutralize this threat.

Stay vigilant.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub