A sophisticated social engineering technique, dubbed ClickFix, is gaining significant traction, enabling threat actors to trick both Windows and macOS users into manually executing malicious commands. These commands, upon execution, stealthily install malware onto victims’ devices. This method, first identified in late 2023, has rapidly evolved from a niche tactic to one of the most prevalent initial access strategies within the cybercriminal landscape.
The inherent danger of the ClickFix attack lies in its deceptive normalcy. Instead of exploiting direct software vulnerabilities, it presents users with convincing fake verification screens mimicking legitimate services like Cloudflare CAPTCHA or Google reCAPTCHA. Through background JavaScript, a malicious command is silently copied to the user’s clipboard. Victims are then prompted to paste this command into the Windows Run dialog box or the macOS Terminal, unknowingly granting attackers direct access to their systems.
The Evolving Threat of ClickFix Attacks
Researchers at Recorded Future’s Insikt Group have identified five distinct ClickFix clusters. While all employ the same underlying deception mechanism, they differentiate in their thematic lures, underlying infrastructure, and targeted industry sectors. These impersonated services include well-known platforms such as Intuit QuickBooks, Booking.com, and the AI marketing tool Birdeye. Consequently, the attack vectors have impacted sectors including accounting, travel, real estate, and legal services.
A report published on March 25, 2026, confirms the widespread adoption of this method, noting its use by both general cybercriminal groups and potentially state-sponsored actors, including APT28 and North Korea’s PurpleBravo. The common thread across all identified ClickFix clusters is their reliance on a “living-off-the-land” (LotL) approach. This strategy involves leveraging legitimate, built-in system tools already present on the operating system to execute malicious actions. By routing command execution through native utilities like PowerShell on Windows or the Terminal on macOS, attackers can effectively evade many standard browser-based security defenses.
The malware families deployed through these campaigns are diverse and potent, including NetSupport RAT, Odyssey Stealer, Lumma Stealer, and MacSync. These tools are designed for capabilities such as remote system control, credential harvesting, and the theft of cryptocurrency wallet data from compromised machines.
Understanding the Four-Stage Infection Chain
The ClickFix infection chain consistently follows a four-stage progression across both Windows and macOS environments. The process begins with an obfuscated user input, progresses through native system shell execution, facilitates the retrieval of payloads from remote infrastructure, and culminates in in-memory execution, leaving minimal traces on disk.
On Windows systems, users are typically directed to open the Run dialog box and paste a command that appears to be for verification purposes. Within the QuickBooks-themed cluster, for instance, the pasted command triggers a hidden PowerShell process. This process utilizes mixed-case obfuscation and shortened parameter aliases to bypass signature-based detection mechanisms. The initial stage then contacts attacker-controlled domains, such as nobovcs[.]com, to retrieve a secondary script. This script, often named bibi.php, is responsible for installing the NetSupport RAT. As a deceptive measure, the script generates a randomly named folder within the user’s local app data directory, often using romantic-themed words, to appear innocuous and avoid detection.
On macOS, the attack path mirrors this in its use of the Terminal. In one identified cluster, a landing page impersonating Apple’s support site instructed users to execute a command supposedly to free up storage space. This command, however, employed stacked encoding layers, first decoding hex to Base64, and then piping the result through the zsh shell. This multi-layered obfuscation allowed the silent download and execution of MacSync, an information-stealing malware. Further demonstrating the attackers’ refinement, another cluster was observed automatically detecting the victim’s operating system and serving a tailored command for each platform, highlighting the careful customization of these attacks.
Following successful execution, the final malware payload operates entirely in memory, significantly reducing the forensic evidence left on the device. On Windows, persistence is often achieved by placing a shortcut within the Startup folder, ensuring the malware can reactivate automatically upon each system reboot.
To mitigate the risks associated with ClickFix attacks, security teams should consider disabling the Windows Run dialog box through Group Policy Objects, thereby removing a primary delivery vector. Implementing PowerShell Constrained Language Mode, in conjunction with AppLocker or Windows Defender Application Control policies, can help prevent unauthorized script execution. On macOS systems, restricting Terminal access through mobile device management and ensuring System Integrity Protection remains enabled are crucial steps. Across both platforms, targeted user awareness training focusing on recognizing and refusing manual verification prompt scams remains one of the most effective defenses against ClickFix attacks.