The ACSC issued an advisory on ClickFix, a social-engineering technique spreading malware through compromised WordPress websites. The mechanics are clever and low-tech: a victim lands on a legitimate-looking page that throws a fake error or “verify you’re human” prompt, then instructs them to copy a snippet and run it — via the Run dialog or a terminal — to “fix” the problem. The user does the attacker’s work, and the command pulls down malware.

It’s effective because it routes around the controls everyone leans on. There’s no malicious attachment to scan and no obvious dodgy link to block — the dangerous action is the user pasting a command they were talked into running. The same approach is now showing up off the web, including in QR-code lures that move the victim onto an unmanaged phone.

The defences are layered: application control and endpoint protection that stop unauthorised scripts from executing, removing local admin rights so a pasted command can’t do much, and — genuinely useful here — telling staff plainly that no legitimate website will ever ask them to paste a command to prove they’re human.

What it means for your businessClickFix gets users to run the malware themselves, sidestepping link and attachment filters. Combine application control, least-privilege endpoints and a clear staff message: never paste a command a website tells you to.
Source & referenceACSC — Alerts and advisories ↑