A member of staff visited what appeared to be a legitimate website. A message on the page told them their browser had a problem and gave them simple instructions to fix it: press two keys, paste a short piece of text, and hit Enter. They did. Within hours, criminals had access to eleven of the organisation’s computers, including the server that controls the entire network.
The attack, documented in new research from cybersecurity firm Huntress, is one of the starkest illustrations yet of a technique known as ClickFix and of what happens when it goes undetected.
The trick that started it all
ClickFix works by exploiting something very human: the instinct to follow clear instructions when something appears to have gone wrong. The fake error message on the website looked plausible. The fix it offered seemed routine. And the action it required, pressing the Windows key and R together, then pasting in a short command, is something IT departments sometimes ask staff to do legitimately.
That single action was enough. Running the command silently installed malicious software on the machine in the background, with no warning and no visible sign that anything had happened.
Crucially, the machine where this happened was not being monitored. There was no security software watching for suspicious activity. That absence gave the attackers something invaluable: time.
What the attackers did next
Once inside, the criminals moved methodically. The malicious software installed itself quietly and began receiving instructions from the attackers. It then downloaded a second, more powerful tool that gave them an extensive range of capabilities.
From that point, the attackers could:
- Steal saved passwords and login details from web browsers, including passwords protected by security measures Google only introduced last year.
- Take covert remote control of the victim’s browser, running it invisibly while the user saw nothing, a technique commonly used to commit banking fraud.
- Install additional tools and spread their access to other machines across the network.
Five hours after the initial infection, the attackers installed a second backdoor that used an unusual method to stay hidden. Rather than connecting to a server address that security teams could block, it retrieved its instructions from the Ethereum cryptocurrency network, a system designed to be extremely difficult to shut down or disrupt.
They also set up a concealed access route through a legitimate internet service, giving themselves a persistent way back into the network that bypassed the organisation’s firewall entirely.
A human takes the wheel
At a certain point, the attack shifted from automated software to a real person actively working at a keyboard. Using stolen administrator login credentials, the attacker began manually navigating the network, moving from machine to machine with the same level of access as an IT administrator.
Windows’ built-in security software repeatedly caught and blocked the tools they tried to deploy. Rather than giving up, the attacker fought back, trying multiple approaches in sequence to disable it, eventually succeeding in turning it off entirely. They even ran a check to confirm it was disabled before moving on. It is, Huntress notes, exactly the kind of careful, deliberate step that tells you a skilled human being is on the other end.
With security software out of the way, the attacker spread their tools across the network systematically, machine by machine, until they had a presence on more than eleven devices, including the server that manages all user accounts and access permissions for the organisation.
The cost of one unmonitored machine
By the time Huntress’s security team could begin remediation, the work was considerable. Cleaning up meant going through more than eleven machines individually, hunting for traces of the attackers’ presence. The attackers had gone to great lengths to blend in: tools were renamed to resemble standard Windows processes, and persistence mechanisms were given names that mimicked legitimate software. Each machine had to be examined on its own terms.
Huntress is direct about what made this possible. Had the original machine been monitored, the malicious software could have been caught the moment it ran. The clean-up would have been one machine, not eleven. “Coverage gaps are not theoretical risks,” the firm writes. “They are the room attackers need to turn a single moment of misdirection into a network-wide compromise.”
What organisations can do
Huntress makes several practical recommendations:
- Ensure every device on the network has security monitoring in place, including workstations that may appear low-risk. The machine where this attack started had none.
- Disable the Windows Run dialog through IT policy where possible. ClickFix attacks depend on it. If staff cannot open it, the attack fails at the first step.
- Set up alerts for any attempt to disable Windows security software or carve out exceptions to it. Both are strong indicators of an active intrusion.
- Train staff to be sceptical of any website that asks them to run commands on their computer, however plausible the reason given.
The full research, including technical indicators and detection guidance, is available here: https://www.huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack
