ClickFix Malware Delivery Service Gains Popularity with Advanced AMSI Bypass and Evasion Techniques

ClickFix Evolves into Sophisticated API-Driven Malware Delivery Ecosystem

MEDIUM
July 7, 2026
5m read
MalwareThreat Intelligence

Related Entities

Organizations

Products & Tech

Antimalware Scan Interface (AMSI)

Other

ClickFix

Full Report

Executive Summary

The ClickFix malware delivery service, also known as a 'loader' or 'dropper', has undergone a significant evolution, transforming into a sophisticated, API-driven platform for distributing malicious payloads. Security researchers report that it has become a preferred tool for cybercriminals due to its advanced evasion capabilities and reliability. Analysis of thousands of ClickFix payloads shows the service uses techniques like rotating wrappers and custom command generation to bypass signature-based detection. A particularly noteworthy technique involves abusing the Windows Downloads folder to neutralize Microsoft's Antimalware Scan Interface (AMSI), a key protection against script-based attacks. This constant innovation highlights the industrialization of the cybercrime economy, where specialized services like ClickFix provide a critical 'initial access' component for other threat actors, including ransomware gangs.


Threat Overview

ClickFix operates as a Malware-as-a-Service (MaaS) platform, where the service's operators provide the infrastructure and tools to deliver a customer's payload (e.g., ransomware, info-stealer, RAT) to a victim's machine. Its recent surge in popularity is attributed to its focus on evasion and resilience.

Key features of the evolved ClickFix service include:

  • API-Driven Architecture: Allows for programmatic and scalable deployment of malware, making it easy for other criminal services to integrate with.
  • Rotating Wrappers: The service constantly changes the 'wrapper' or 'loader' code that contains the final payload. This polymorphism helps defeat static, signature-based antivirus detection.
  • Custom Command Generation: The commands used to launch the malware are dynamically generated, further complicating pattern-based detection.
  • Advanced Evasion Techniques: The service actively incorporates new methods to bypass modern security controls.

Technical Analysis

The most prominent technique highlighted in recent reports is the abuse of the Downloads folder to bypass AMSI.

AMSI Bypass via Downloads Folder:

  • T1562.001 - Disable or Modify Tools: AMSI is a critical Windows security feature that allows applications and services to integrate with antivirus products, enabling the scanning of scripts and other content before execution. Bypassing it is a high-priority goal for attackers.
  • The ClickFix method involves leveraging how files in the user's Downloads folder are handled. By manipulating the context or source of a script executed from this location, the attackers can prevent the AMSI provider from being properly invoked, effectively blinding it to the malicious script's content.
  • This technique is a form of defense evasion that specifically targets a modern, in-memory security control, demonstrating the sophistication of the ClickFix developers.

Other relevant TTPs include:


Impact Assessment

The rise of sophisticated delivery services like ClickFix has a broad impact on the threat landscape:

  • Lowers the Bar for Attackers: Less skilled threat actors can rent the services of ClickFix to deliver their malware, without needing to develop their own evasion techniques.
  • Increases Ransomware Threat: ClickFix provides a reliable and scalable initial access vector for ransomware groups, fueling the ransomware economy.
  • Pressures Defenders: The use of advanced, rapidly changing evasion techniques puts constant pressure on security vendors and blue teams to update their detection capabilities.
  • Commoditization of Initial Access: ClickFix is a prime example of the 'Initial Access Broker' (IAB) model, where access to compromised machines is a traded commodity.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were provided in the source articles.


Cyber Observables — Hunting Hints

Detecting loaders like ClickFix requires focusing on the execution chain and script behaviors.

Type
command_line_pattern
Value
powershell.exe -enc <base64_string>
Description
Look for PowerShell being launched with long, encoded commands, a common technique for loaders.
Type
log_source
Value
AMSI Event Logs (Event ID 1116, 1117)
Description
A lack of AMSI events for a script executed from the Downloads folder, where you would expect them, could be an indicator of a bypass.
Type
process_name
Value
mshta.exe, wscript.exe
Description
Monitor for the execution of legacy scripting hosts, which are often used to launch initial loaders.
Type
network_traffic_pattern
Value
A process like wscript.exe making a network connection to download a second-stage payload.
Description
Loaders often have multiple stages. The initial script downloads the next part of the attack.

Detection & Response

  • Script Block Logging: Enable enhanced PowerShell logging, including Script Block Logging and Module Logging, to capture the de-obfuscated content of malicious scripts, even if AMSI is bypassed.
  • Attack Surface Reduction (ASR): Implement Microsoft Defender ASR rules, particularly rules that block script-based attacks, obfuscated scripts, and execution from certain locations.
  • Behavioral-Based EDR: Use an EDR solution that focuses on the behavior of a script rather than its signature. Detecting a script that allocates executable memory and then writes to it is a strong heuristic for a loader.
  • D3FEND Techniques: Utilize Dynamic Analysis (D3-DA) in a sandbox environment to observe the full behavior of a suspected loader. On the endpoint, Process Analysis (D3-PA) can help trace the execution from the initial script to the final payload.

Mitigation

  • Email and Web Filtering: The initial entry point for ClickFix is often a malicious email attachment or a link to a malicious file. Strong filtering is the first line of defense.
  • User Training: Train users to be suspicious of unsolicited attachments and links, especially those that ask them to enable macros or run scripts.
  • Application Control: Use application control solutions like AppLocker or Windows Defender Application Control to restrict the execution of unauthorized scripts and applications. -- Disable Legacy Scripting Hosts: Where possible, disable or restrict legacy scripting hosts like wscript.exe if they are not needed for business operations.
  • D3FEND Countermeasures: Implement Executable Denylisting (D3-EDL) to block known malicious loaders and script interpreters that are not required in the environment.

Timeline of Events

1
July 7, 2026
This article was published

MITRE ATT&CK Mitigations

Use application control and Attack Surface Reduction rules to block the execution of untrusted and obfuscated scripts.

Keep AV/EDR solutions up to date with the latest signatures and behavioral detection engines.

Use web filtering to block access to known malicious domains that host loaders and payloads.

Sources & References

6th July – Threat Intelligence Report
Check Point Research (research.checkpoint.com)
Researchers Claim First Fully Agentic Ransomware: JadePuffer
Infosecurity Magazine (infosecurity-magazine.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

ClickFixMalware-as-a-ServiceLoaderDropperAMSI BypassInitial Access

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.