You guys seriously need to read this because ClickFix isn't just one malware strainβ€”it's a whole ecosystem of attacks that evades almost every standard defense we use! Here is how it works: malicious ads on legitimate websites inject JavaScript into your browser session via stolen ad tech credentials, and Cliksense alone has been compromised in multiple campaigns. The attacker then redirects you to a fake error page where Chrome claims your system is infected and prompts you to download a "fix." That fix is the real payloadβ€”a remote access trojan that only drops after you run it. You can't blacklist the attacking domains because they are legitimate sites with compromised ad units, which means blocking at the firewall or DNS level breaks real websites while letting the attack through.

This is why AV and EDR scans return nothing: there is no file on disk to scan before infection occurs, and after execution the only artifacts are a browser process spawning an additional browser instance under a fake error page name β€” totally normal behavior for many legitimate apps! This is exactly how it evades signature-based detection. The user interacts with what looks like a real Chrome update dialog from a genuine Google domain, which builds trust before they run the installer that gives the attacker full system access and data exfiltration capabilities. It also steals cookies, autofill info, saved passwords β€” everything your browser holds. Every one of these details matters because it's not just malware; it's an abuse of trust at scale by renting infrastructure for as little as $40 to deliver trojans.

So what do we actually do about it when traditional detection fails? You can't block all redirects without breaking the internet, so focus defense on detecting anomalous browser process trees and network connections to known bad destinations rather than hunting for a specific hash. Monitor for a web browser spawning another one with an unusual name in the process list β€” that is almost certainly malicious. Microsoft and Google have issued official warnings about ClickFix recently, which shows how widely this has spread. There are also more recent reports on this: https://www.virustotal.com/gui/home, https://news.microsoft.com/en-us/security/, https://www.themiraigroup.com/blog/how-to-detect-and-prevent-clickfix.

Source: https://www.darkreading.com/cyberattacks-data-breaches/clickfixs-ecosystem-demands-new-defense