< ciso
brief />
Tag Banner

All news with #clickfix tag

79 articles · page 2 of 4

Atomic Stealer ClickFix Shift Targets macOS Script Editor

🛡️ Jamf Threat Labs has identified a macOS malware campaign delivering the Atomic Stealer (AMOS) infostealer/backdoor using a ClickFix social engineering technique that now leverages Script Editor instead of Terminal. Attackers display fake Apple guidance in a browser window to convince users to paste and run malicious commands, bypassing Terminal paste-scanning warnings added in the macOS 26.4 update. Network defenders are advised to restrict clipboard and run-dialog use, limit execution of untrusted binaries, and block suspicious adverts and sites.
read more →

macOS Atomic Stealer campaign leverages Script Editor

⚠️ Researchers at Jamf observed a ClickFix variation that uses the built-in Script Editor and the applescript:// URL scheme to deliver the Atomic Stealer (AMOS) to macOS users. Victims are lured to fake Apple-themed pages that launch Script Editor with prefilled AppleScript executing an obfuscated "curl | zsh" chain, avoiding the need to open Terminal. The delivered code decodes a base64+gzip payload, writes a Mach-O binary to /tmp/helper, strips extended attributes with "xattr -c", makes it executable, and runs it. Treat Script Editor prompts as high risk and follow official Apple troubleshooting guidance rather than third-party guides.
read more →

Casbaneiro Phishing Targets Latin America and Europe

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.
read more →

DeepLoad Loader Uses ClickFix Lure and WMI Persistence

🔒 ReliaQuest researchers detail a new malware loader, DeepLoad, distributed via an ClickFix social-engineering lure that tricks users into pasting PowerShell commands into the Windows Run dialog. The chain leverages mshta.exe to execute an obfuscated PowerShell loader that likely uses AI-assisted obfuscation and conceals its payload in a LockAppHost.exe process while disabling PowerShell history to reduce traces. DeepLoad compiles transient C# DLLs in Temp, uses APC injection to run shellcode in suspended trusted processes without writing decoded payloads to disk, steals browser credentials and sessions, drops a persistent malicious browser extension, copies itself to USB devices via deceptive shortcuts, and employs WMI event subscriptions to reinfect cleaned systems.
read more →

Apple adds macOS Terminal warning to block ClickFix

⚠️ Apple has introduced a new security measure in macOS Tahoe 26.4 that delays execution when users paste commands into Terminal and displays a warning highlighting potential risks. The mechanism appears aimed at mitigating ClickFix social‑engineering attacks that trick users into pasting malicious commands. Users may cancel the paste or choose to proceed if they understand the command, and Apple has not yet published official documentation for the behavior.
read more →

DeepLoad Malware Uses ClickFix and AI to Evade Detection

⚠️ DeepLoad is a newly detailed malware campaign combining the ClickFix social-engineering trick with AI-assisted code padding to hide credential-stealing payloads and evade file-based scanners. ReliaQuest, on March 30, warned the campaign targets enterprise accounts, hides inside the Windows lock screen process, and can persist via a WMI-based reactivation three days after removal. Researchers also observed USB propagation and recommend enabling PowerShell Script Block Logging, auditing WMI subscriptions, and changing affected user passwords.
read more →

Infinity Stealer targets macOS using ClickFix and Nuitka

⚠️Researchers at Malwarebytes detail a macOS info-stealing campaign that uses a Python payload compiled into a native binary with Nuitka, delivered via a ClickFix page impersonating Cloudflare. Victims are tricked into pasting a base64-obfuscated curl command into Terminal, which boots a staged installer that removes quarantine flags and launches a Nuitka loader. The loader contains a compressed payload and performs anti-analysis checks before harvesting browser credentials, Keychain entries, cryptocurrency wallets and developer secrets.
read more →

High-Tech Sector Becomes Top Cyberattack Target in 2025

🔍 Mandiant's M-Trends 2026 report finds the high-tech sector overtook finance as the most targeted industry in 2025, accounting for 17% of incident response investigations. The report also records a global median dwell time increase to 14 days and highlights widespread adoption of the ClickFix social-engineering technique. Analysts observed a surge in vishing and a strategic ransomware shift toward deliberate recovery denial, with attackers specifically targeting backups, identity services and virtualization management planes.
read more →

LeakNet Adopts ClickFix and Deno In-Memory Loader Technique

🔒 LeakNet has begun using ClickFix on compromised websites to trick users into running malicious msiexec commands, according to ReliaQuest. The group pairs this social-engineering tactic with a staged, Deno-based in-memory loader that executes Base64-encoded JavaScript and pulls additional stages directly into memory, minimizing on-disk evidence. Post-compromise behavior is consistent and repeatable, with DLL side-loading, lateral movement via PsExec, S3-backed exfiltration, system fingerprinting (including cmd.exe klist), and eventual ransomware deployment. ReliaQuest warns the approach reduces reliance on brokers, broadens access vectors, and is being seen across varied threat activity.
read more →

LeakNet Uses Deno Runtime and ClickFix for Stealthy Attacks

🔒LeakNet has adopted the social-engineering ClickFix lure to gain initial access and now deploys a loader that leverages the legitimate Deno runtime to decode and execute JavaScript in memory. By running signed Deno binaries, operators minimize disk artifacts and evade blocklists, often initiating activity via VBS and PowerShell scripts named like Romeo*.ps1 and Juliet*.vbs. Post-compromise actions include DLL sideloading, PsExec lateral movement, credential discovery, C2 beaconing, and data exfiltration to abused Amazon S3 buckets, offering clear detection opportunities for defenders.
read more →

ClickFix Campaigns Deliver MacSync macOS Infostealer

🛡️ Sophos researchers identified three ClickFix campaigns that used malicious search ads and trusted-host lures to coax macOS users into pasting and executing terminal commands, resulting in the deployment of the MacSync infostealer. The campaigns—first observed in November and December 2025 and refreshed in February 2026—leveraged fake Google Sites, ChatGPT conversation redirects, and GitHub-style pages. The February variant introduced dynamic AppleScript and in-memory execution to harvest credentials, keychain data, files, and crypto seed phrases while attempting to erase traces.
read more →

ClickFix Lures Evolve to Deploy New In‑Memory Infostealers

🔒 Researchers warn that criminals have scaled ClickFix social-engineering lures to deliver sophisticated, fileless infostealers via compromised WordPress sites. Rapid7 observed a campaign active since December 2025 that leveraged fake Cloudflare CAPTCHA prompts across more than 250 WordPress domains in 12 countries to trick victims into running obfuscated commands. The chain deploys an in-memory loader called DoubleDonut that injects payloads into legitimate Windows processes, and analysts also observed novel .NET and C++ stealers alongside a new Vidar variant. Microsoft noted a separate campaign that pivots from the Run dialog to Windows Terminal for execution.
read more →

New ClickFix Variant Uses WebDAV and Trojanized Electron App

🔎 Atos researchers disclosed a ClickFix variation that leverages the Run dialog to execute a 'net use' command, map a remote WebDAV share, and run a hosted batch file. The chain downloads a ZIP that unpacks a trojanized WorkFlowy Electron app whose app.asar contains an obfuscated main.js acting as a persistent C2 beacon and dropper. The campaign evaded Microsoft Defender for Endpoint and was detected through targeted hunting of RunMRU registry activity.
read more →

WordPress sites abused to deliver ClickFix infostealers

🔒 Rapid7 has identified a widespread campaign that compromises legitimate WordPress websites to infect visitors with infostealer malware. Attackers display a convincing fake Cloudflare CAPTCHA and use the ClickFix social‑engineering trick to prompt victims to paste commands into Windows Run, initiating staged downloads. Observed payloads include Vidar, Impure, Vodka and Double Donut. Site administrators are urged to update components, enable MFA, use strong passwords and avoid executing untrusted code on credential-bearing devices.
read more →

Termite Ransomware Breaches Tied to ClickFix, CastleRAT

🔒 Researchers at MalBeacon observed the threat actor Velvet Tempest using a ClickFix malvertising chain to trick victims into pasting obfuscated commands into the Windows Run dialog. Operators leveraged nested cmd.exe chains and legitimate utilities (including finger.exe and csc.exe) to stage loaders, compile .NET components, and deploy Python-based persistence under C:\ProgramData. The intrusion staged DonutLoader and retrieved the CastleRAT backdoor, though Termite ransomware was not deployed during the observed exercise.
read more →

ClickFix phishers use Win+X shortcut to evade defenses

⚠ Attackers have shifted ClickFix phishing to use the Windows + X → I shortcut to open Windows Terminal, prompting victims to paste malicious PowerShell via fake CAPTCHAs and verification prompts. This avoids detections focused on Run (Win+R) and undermines basic security training. Microsoft says the campaign launches layered, persistent chains that decode embedded hex, download a renamed 7-Zip binary to extract payloads, establish persistence, apply Defender exclusions, and exfiltrate data.
read more →

Microsoft: ClickFix Uses Windows Terminal to Deploy Malware

⚠️ Microsoft disclosed a ClickFix social engineering campaign observed in February 2026 that leverages the Windows Terminal app to execute malicious commands and deliver the Lumma Stealer. Attackers instruct targets to open Windows Terminal (wt.exe) via Windows+X → I and paste hex‑encoded, XOR‑compressed commands from fake CAPTCHA or troubleshooting pages, avoiding Run‑dialog detection. The decoded chain downloads a ZIP and a renamed 7‑Zip binary to extract payloads, sets persistence, configures Defender exclusions, and injects the stealer into browser processes to harvest stored credentials.
read more →

QuickLens Chrome Extension Compromised to Steal Crypto

⚠️The QuickLens Chrome extension was removed from the Chrome Web Store after a malicious update (v5.8) was pushed that added info‑stealing and ClickFix attack functionality. Security researchers found the extension stripped security headers, added powerful permissions, and contacted a command‑and‑control server to fetch and run payloads on every page. A fake Google Update prompt led to malware that targeted Windows and attempted to steal browser credentials and cryptocurrency seed phrases. Google has disabled the extension; affected users should remove it, scan devices, reset passwords, and move funds from compromised wallets.
read more →

Variations of ClickFix technique and evolving delivery

🔒 The Kaspersky Team outlines evolving variations of the ClickFix social‑engineering technique, where attackers trick users into executing malicious commands on their own machines. Recent campaigns abuse legitimate utilities such as mshta.exe, nslookup and the legacy Finger protocol, and have used platforms like TikTok, Pastebin and fake extension pages to prompt victims to run code. Observed payloads include infostealers and remote access trojans such as ModeloRAT. Organizations are advised to prioritize user awareness and robust endpoint and XDR controls to mitigate these risks.
read more →

ClickFix Attack Uses nslookup DNS to Deliver PowerShell

⚠️ Microsoft has identified a novel ClickFix social-engineering variant that instructs victims to run an nslookup against an attacker-controlled resolver to retrieve a malicious PowerShell script embedded in the DNS NAME field. The response is parsed and executed via cmd.exe, then pulls a second-stage ZIP containing a Python runtime and scripts that lead to the ModeloRAT remote-access trojan. Organizations should monitor unusual DNS queries to untrusted nameservers and apply endpoint controls to block unauthorized script execution and persistence.
read more →