⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

Fake Google Meet ClickFix

A sophisticated ClickFix variant that impersonates Google Meet video conferencing. The phishing page displays a fake "Can't join the meeting" error and instructs users to press Win+R, then Ctrl+V, then Enter to execute a malicious command that was silently copied to their clipboard. This technique was documented by Push Security as "the most advanced ClickFix yet" in November 2025. According to Microsoft's 2025 Digital Defense Report, ClickFix accounted for 47% of initial access methods in the past year.

windows browser Clipboard Hijack PowerShell Social Engineering Video Tutorial

Can't join the meeting

Try Example
Clipboard Hijack PowerShell Social Engineering

The fake Google Meet page shows a realistic video conferencing interface with a popup stating "Can't join the meeting" and instructions to execute a command via Win+R. The malicious command is automatically copied to the clipboard via JavaScript when the page loads.

  1. User receives link to fake Google Meet (e.g., gogl-meet.com, meet.conference-web.com)

  2. Page displays fake Google Meet interface with 'Can't join the meeting' error

  3. Instructions say: Press Win+R, then Ctrl+V, then Enter

  4. Malicious PowerShell command was silently copied to clipboard

  5. User unknowingly executes malware

References:

Mitigations:

  • User education: Never paste commands from websites into Run dialog

  • Detect clipboard.writeText calls followed by Win+R instructions

  • Block known fake video conferencing domains

  • Monitor for PowerShell spawned from explorer.exe after Win+R

Contributor: ClickGrab (2025-11-29)

Permission needed variant

Try Example
Clipboard Hijack PowerShell Social Engineering

A variant that shows "Permission needed" for camera/microphone access, then redirects to the ClickFix payload. The page may show a loading spinner or fake "Ready to join?" button.

  1. User visits fake meeting link

  2. Page shows 'Permission needed' prompts for camera/microphone

  3. After interaction, ClickFix popup appears

  4. Same Win+R, Ctrl+V, Enter instruction sequence

References:

Mitigations:

  • Verify meeting URLs match official domains (meet.google.com)

  • Be suspicious of permission prompts followed by command instructions

Contributor: ClickGrab (2025-11-29)

Embedded video tutorial

Try Example
Clipboard Hijack PowerShell Social Engineering Video Tutorial

The most advanced variant includes an embedded video showing users exactly how to complete the "verification" steps. This increases success rate by providing visual guidance for the attack.

  1. User visits fake meeting page

  2. Video demonstrates Win+R, Ctrl+V, Enter sequence

  3. Countdown timer and 'users verified' counter add urgency

  4. User follows video instructions, executing malware

References:

Mitigations:

  • Never follow video instructions to run commands

  • Legitimate services never ask users to run commands manually

Contributor: ClickGrab (2025-11-29)