Citadel / Controls / ClickFix Protection

ClickFix & Clipboard Command Scams

What is this?

ClickFix (and its variants FileFix and pastejacking) is a social-engineering attack. A web page convinces you to copy something to your clipboard and paste it somewhere that runs commands β€” most often PowerShell, the Windows Run dialog (Win + R), the File Explorer address bar, or a Terminal. What you paste is not what it appears to be: it is a command that downloads and runs malware on your computer.

The lure is usually a fake instruction: "Verify you are human β€” press Win+R, then Ctrl+V, then Enter", "To fix this error, paste the following into PowerShell", or a fake CAPTCHA / document-preview that tells you to follow a few "quick steps". Because you performed the paste, the attack sidesteps many browser and download protections.

Citadel watches the clipboard itself. Whenever a command-like payload lands on your clipboard β€” whether a script wrote it, swapped it during a copy, or you copied text the page was displaying β€” Citadel scores it and warns you before you paste it anywhere dangerous.

Why is this dangerous?

🎣

It turns you into the delivery mechanism

The page never runs the command β€” you do. A single paste into PowerShell or the Run box can install info-stealers, ransomware, or remote-access malware in seconds.

🎭

What you see isn't what you paste

The clipboard can be swapped at copy time, padded with spaces to hide the real command off-screen, or disguised as a harmless-looking file path (FileFix).

⏎

It often runs instantly

A hidden trailing newline means the command executes the moment it is pasted into the Run dialog or a terminal β€” you never get a chance to read it.

How to stay safe

  1. Never paste anything into PowerShell, Terminal, or the Run dialog (Win + R) because a web page told you to. Legitimate websites never ask you to do this.
  2. Be suspicious of any "verify you are human", "fix this error", or "complete these steps" message that involves keyboard shortcuts and pasting.
  3. If Citadel shows you a clipboard warning, stop. Do not paste. Clear your clipboard by copying some harmless text (or just copy this sentence).
  4. If you are unsure, contact your IT / security support before doing anything.
⚠️ Remember
  • Copying is harmless. Pasting into a command prompt is where the damage happens.
  • This protection is a safety net, not a guarantee β€” it judges clipboard content, not your intent.
  • It cannot see commands you type by hand, or copy from an e-mail, screenshot, or another application.

Try it yourself (safe demos)

Each button below puts a real but harmless command on your clipboard, exercising a different way an attacker delivers one. If the Citadel extension is active you should see a warning each time. Use the paste box at the bottom to inspect what actually landed on your clipboard β€” that is safe.

πŸ›‘ Do not paste these into PowerShell, a terminal, or the Run dialog. The demo commands are harmless (they only print a message), but the whole point of this page is to build the habit of not pasting clipboard commands into a shell. Paste only into the inspection box below.

1. A page script writes the command (clipboard.writeText)

Programmatic clipboard write

The classic ClickFix delivery: a script silently places a command on your clipboard, often ending in a newline so it auto-runs the instant it is pasted.

2. A page disguises a command as a file path (FileFix, execCommand)

Path-disguised command

FileFix tells you to paste a "file path" into the Explorer address bar β€” but the path is actually a command.

3. The clipboard is swapped during copy (pastejacking, setData)

What you see is not what you get

The text below looks like a harmless install command. Copy it with the button β€” a copy handler swaps in something else. Paste into the box at the bottom to see the difference.

npm install citadel-helper

4. You manually copy a command the page displays (read-side)

Select & copy by hand

No script needed. Select the command below and press Ctrl/Cmd + C β€” Citadel scores whatever you copy, regardless of how it got onto the clipboard.

powershell -NoProfile -Command "Write-Host 'Citadel ClickFix test β€” if this were real, malware would now be running'"

5. A normal copy that should not warn

Benign control

For comparison: copying an ordinary URL has no shell-command signals, so Citadel stays silent.

https://citadelagent.org/control/ClickFix

Inspect your clipboard (safe)

Click here and paste (Ctrl/Cmd + V) to see exactly what is on your clipboard. This is a plain text box β€” pasting here runs nothing.