500% Surge in ClickFix Attacks – Hackers Exploit New Trick to Deceive Users

In the first half of 2025, cybersecurity experts observed an unprecedented surge in innovative threats, increasing the risk to organizations and individuals.

Among the most alarming developments is the explosive rise of a new attack technique dubbed “ClickFix,” which has rocketed up the threat charts, now ranking just below phishing as the second most common attack vector in ESET’s telemetry.

500% Surge in ClickFix Attacks – Hackers Exploit New Trick to Deceive Users

ClickFix isn’t just another malware; it’s an entire attack campaign that manipulates users into executing malicious commands under the false pretense of fixing a fake system error.

The method is simple yet devastating: cybercriminals deceive users into believing their device has a critical issue that requires immediate attention. When the victim clicks to resolve the error, malicious code executes, bypassing traditional defenses.

What sets ClickFix apart is its versatility and cross-platform reach. Attackers are leveraging this vector to deliver a wide array of payloads from infostealers like SnakeStealer and Lumma Stealer, to ransomware and even nation-state malware. 

These attacks are not confined to Windows; researchers confirm their presence on Linux and macOS as well. The rise of ClickFix up by over 500% compared to the second half of 2024 reflects the continued ingenuity of cybercriminals in exploiting human psychology.

Detection challenge:
ClickFix campaigns are notoriously difficult to catch with signature-based defenses, since the malicious activity begins only after user interaction. This underscores the importance of user education and multi-layered security approaches.

Infostealer Turmoil and Knockout Blows to MaaS (Malware-as-a-Service)

The infostealer landscape has also undergone seismic shifts. Agent Tesla, once a dominant player, has faded into obscurity, while SnakeStealer (Snake Keylogger) now leads the pack in ESET’s detection charts.

At the same time, Lumma Stealer and Danabot, two major malware-as-a-service (MaaS) threats, faced significant disruption thanks to collaborative takedown operations in which ESET played a key role.

Agent Tesla was especially notorious for stealing credentials and sensitive information from victims, but SnakeStealer’s modular approach and improved evasion techniques have made it the new favorite. 

The takedown of Lumma Stealer and Danabot, however, marks a significant victory for the cybersecurity community, as these services had been enabling less technically skilled criminals to launch sophisticated attacks at scale.

Android Adware and NFC Fraud: The Mobile Threat Evolution

On the Android front, adware detections increased by 160%, primarily due to a new malware family called Kaleidoscope. 

This threat uses an “evil twin” strategy, impersonating legitimate apps to infiltrate devices and bombard users with intrusive ads, grinding performance to a halt.

Meanwhile, near-field communication (NFC) fraud has increased by more than thirty-five times compared to previous periods. Although absolute numbers remain relatively low, the rapid growth is alarming.

Attackers are orchestrating sophisticated phishing campaigns and developing novel relay methods. New iterations such as NGate, GhostTap, and SuperCard demonstrate the criminals’ relentless adaptation to security advances.

The first half of 2025 has been marked by the meteoric rise of ClickFix attacks, the evolution of infostealers, and a dramatic increase in mobile threats. As always, staying informed and vigilant is the best defense against these rapidly evolving cyber dangers.