EXECUTIVE SUMMARY:
A set of social engineering campaigns leveraging the ClickFix methodology has been observed targeting both Windows and macOS environments. These campaigns rely on deceptive fix this issue prompts delivered via web pages that impersonate legitimate services and verification challenges to lure victims. They work by coaxing users into executing seemingly benign commands within native system interfaces such as the Windows Run dialog, PowerShell, or macOS Terminal, which then trigger malicious activity. This human-assisted execution model enables attackers to sidestep traditional browser security controls and automated detection mechanisms, making ClickFix a high-impact vector for initial access across a broad range of sectors.
At the core of these campaigns is a social engineering exploitation chain that transitions execution from traditional exploit-based delivery to user-mediated command execution. Victims are directed to crafted landing pages that imitate legitimate interfaces such as CAPTCHAs, human‑verification overlays, or branded login pages which then trigger clipboard manipulation or clear instructions to paste encoded commands into native system utilities like the Windows Run dialog, PowerShell, or macOS Terminal. Once executed, these commands invoke native system tools to retrieve and run obfuscated scripts, effectively bypassing browser security, and many endpoint defenses. Secondary payloads observed include credential‑stealing malware, remote access trojans (RATs), and other data exfiltration tools. The campaigns adapt lure themes and infrastructure fingerprints across clusters impersonating financial services, travel platforms, and system utilities to maximize reach and evade simple filtering or blocking.
The ClickFix technique’s reliance on human‑assisted command execution and native system tooling allows it to evade many conventional defenses, shifting the defensive focus toward behavioral hardening and user awareness. Because threat actors can rapidly build, modify, and retire lure infrastructure, relying solely on static indicators is insufficient. Effective mitigation strategies should include disabling unnecessary system components that facilitate command execution, implementing constrained language or execution environments for scripting interfaces, and enhancing detection of anomalous behavior stemming from user‑initiated executions. As adversaries continue to refine and proliferate ClickFix tactics, this methodology is likely to remain a prominent initial access vector targeting a wide swath of platforms and industries.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| T1059.004 | Unix Shell | ||
| T1204.001 | User Execution | Malicious Link | |
| T1204.002 | Malicious File | ||
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Collection | T1560.001 | Archive Collected Data | Archive via Utility |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos