The ClickFix malware delivery service, also known as a 'loader' or 'dropper', has undergone a significant evolution, transforming into a sophisticated, API-driven platform for distributing malicious payloads. Security researchers report that it has become a preferred tool for cybercriminals due to its advanced evasion capabilities and reliability. Analysis of thousands of ClickFix payloads shows the service uses techniques like rotating wrappers and custom command generation to bypass signature-based detection. A particularly noteworthy technique involves abusing the Windows Downloads folder to neutralize Microsoft's Antimalware Scan Interface (AMSI), a key protection against script-based attacks. This constant innovation highlights the industrialization of the cybercrime economy, where specialized services like ClickFix provide a critical 'initial access' component for other threat actors, including ransomware gangs.
ClickFix operates as a Malware-as-a-Service (MaaS) platform, where the service's operators provide the infrastructure and tools to deliver a customer's payload (e.g., ransomware, info-stealer, RAT) to a victim's machine. Its recent surge in popularity is attributed to its focus on evasion and resilience.
Key features of the evolved ClickFix service include:
The most prominent technique highlighted in recent reports is the abuse of the Downloads folder to bypass AMSI.
AMSI Bypass via Downloads Folder:
T1562.001 - Disable or Modify Tools: AMSI is a critical Windows security feature that allows applications and services to integrate with antivirus products, enabling the scanning of scripts and other content before execution. Bypassing it is a high-priority goal for attackers.Downloads folder are handled. By manipulating the context or source of a script executed from this location, the attackers can prevent the AMSI provider from being properly invoked, effectively blinding it to the malicious script's content.Other relevant TTPs include:
T1027 - Obfuscated Files or Information: The use of rotating wrappers is a form of obfuscation.T1059 - Command and Scripting Interpreter: ClickFix is designed to execute payloads, which often involves using PowerShell, VBScript, or other interpreters.The rise of sophisticated delivery services like ClickFix has a broad impact on the threat landscape:
No specific file hashes, IP addresses, or domains were provided in the source articles.
Detecting loaders like ClickFix requires focusing on the execution chain and script behaviors.
command_line_patternpowershell.exe -enc <base64_string>log_sourceprocess_namemshta.exe, wscript.exenetwork_traffic_patternwscript.exe making a network connection to download a second-stage payload.wscript.exe if they are not needed for business operations.Use application control and Attack Surface Reduction rules to block the execution of untrusted and obfuscated scripts.
Keep AV/EDR solutions up to date with the latest signatures and behavioral detection engines.
Use web filtering to block access to known malicious domains that host loaders and payloads.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.