⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

ClickOnce launcher (dfshim)

ClickOnce (.application) links can launch the ClickOnce installer via the DFShim component, often brokered by rundll32/shell handlers. Still encountered in enterprise apps; has been abused in phishing.

windows gui GUI

Open ClickOnce app (safe demo)

Try Example
GUI

  1. In a browser, navigate to a benign .application link (lab only)

  2. Accept prompts to view how ClickOnce presents install UI

References:

Mitigations:

  • Restrict ClickOnce; require code signing; block untrusted sources

Contributor: ClickGrab (2025-09-16)