ClickFix Evolution: Cross-Platform Social Engineering Targeting Enterprise Workflows
Executive Summary
The threat landscape is witnessing a sophisticated shift in initial access delivery through a social engineering technique known as "ClickFix." Recent investigations into campaign clusters active since May 2024 reveal a highly effective methodology designed to bypass traditional browser security controls and endpoint detection. By impersonating trusted platforms like Intuit QuickBooks and Booking.com, threat actors are tricking users into executing malicious, obfuscated commands directly within native system tools such as the Windows Run dialog box and the macOS Terminal. This "Living-off-the-Land" (LotL) approach represents a significant evolution in cross-platform targeting, moving beyond simple credential harvesting to direct system compromise. SecLookup has been actively monitoring these developments, and our threat intelligence platform has successfully identified and blocked the infrastructure associated with these multi-stage attacks.
Threat Analysis: The Mechanics of ClickFix
The ClickFix technique relies on a fundamental psychological exploit: the "fix-it" reflex. When a user encounters a purported technical error—such as a failed document load, a browser incompatibility, or a security certificate issue—they are primed to follow instructions to resolve the problem.
Technical Workflow and TTPs
The attack sequence typically begins with a compromised website or a dedicated malicious domain that serves a convincing lure. Insikt Group’s analysis highlights five distinct clusters of activity, showing that while the lures vary, the core mechanism remains consistent.
- Infrastructure and Lures: Attackers deploy domains that mimic support or help desks (e.g.,
account-help.info). These sites often use lures relevant to high-value targets in accounting, legal services, and real estate. A prominent example includes fake Intuit QuickBooks update pages or Booking.com notification errors. - OS Detection and Delivery: The malicious landing pages employ technical sophistication by fingerprinting the visitor's operating system. This allows the campaign to serve tailored execution chains. If a Windows user is detected, the site provides a "fix" involving the Windows Run dialog. If a macOS user is detected, the instructions pivot to the macOS Terminal.
- The "ClickFix" Interaction: Instead of a traditional file download (which might be flagged by the browser or EDR), the user is prompted to click a button to "copy the fix" to their clipboard. This "fix" is actually a heavily obfuscated PowerShell command (for Windows) or an AppleScript/Bash command (for macOS).
- User-Driven Execution: The site provides step-by-step visual instructions:
- Windows: Press
Win + R, paste the clipboard content (Ctrl + V), and hitEnter. - macOS: Open Terminal, paste the content (
Cmd + V), and hitEnter.
- Windows: Press
- Bypassing Defense: Because the command is executed directly by the user through a native OS utility, it bypasses many browser-based security sandboxes. The execution occurs in-memory, minimizing the disk footprint and evading traditional signature-based antivirus solutions.
MITRE ATT&CK Mapping
The ClickFix campaigns utilize several tactics and techniques within the MITRE ATT&CK framework:
- Initial Access: Phishing (T1566) and Drive-by Compromise (T1189).
- Execution: User Execution: Malicious Command (T1204.001), Command and Scripting Interpreter: PowerShell (T1059.001), and Command and Scripting Interpreter: AppleScript (T1059.002).
- Defense Evasion: Obfuscated Files or Information (T1027) and Living-off-the-Land (T1218).
SecLookup Detection and Global Intelligence
SecLookup’s threat intelligence engine has been tracking the infrastructure associated with ClickFix clusters since their emergence. Our platform utilizes advanced HTML content analysis and behavioral heuristic modeling to identify malicious web artifacts before they are widely reported.
During the lifecycle of these campaigns, SecLookup was actively detecting and blocking the malicious domains used in the redirection chains and payload hosting. By correlating IP addresses and domain registration patterns, SecLookup provided real-time protection to our users, neutralizing the social engineering lures before they could facilitate host-level compromise. Our telemetry consistently flagged the infrastructure used in the QuickBooks and Booking.com impersonation clusters as high-risk, enabling SOC teams to proactively harden their environments.
Indicators of Compromise (IOCs)
The following indicators have been identified across the various ClickFix clusters. We recommend that organizations ingest these into their SIEM and EDR platforms for immediate blocking and hunting.
Confirmed Malicious Domains
account-help.info
account-helpdesk.icu
account-helpdesk.top
macxapp.org
mrinmay.net
IP Addresses
62.164.177.230
94.156.112.115
193.222.99.212
45.144.233.192
77.91.65.31
193.58.122.97
45.93.20.141
77.91.65.144
152.89.244.70
193.35.17.12
45.93.20.50
91.202.233.206
87.236.16.20
File Hashes (SHA-256)
c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50
43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8
b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c
5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db
Recommendations for Defense
While indicator blocking is essential, the transition of ClickFix into a standardized template for both cybercriminals and APTs necessitates a strategy centered on behavioral hardening.
Technical Hardening
- Restrict System Utilities: For Windows environments, evaluate the necessity of the Run dialog box. If it is not required for daily business operations, it can be disabled via Group Policy Objects (GPO).
- PowerShell Security: Implement PowerShell Constrained Language Mode (CLM) to limit the capability of malicious scripts. Ensure that PowerShell logging (Script Block Logging and Transcription) is enabled and forwarded to a centralized SIEM for analysis.
- Terminal Restrictions: For macOS, utilize Mobile Device Management (MDM) solutions to restrict or monitor the execution of unsigned scripts within the Terminal.
- Clipboard Monitoring: While challenging to implement at scale, advanced EDR solutions can be configured to alert on unusual patterns of content being pasted into system shells, especially when originating from browser processes.
User Awareness and Training
Standard phishing simulations often focus on malicious attachments or links. Organizations should update their training modules to include:
- Interaction-Based Social Engineering: Educate users that no legitimate software support (Microsoft, Intuit, Apple) will ever ask them to copy and paste code into a Command Prompt, PowerShell, or Terminal window to "fix" a browser error.
- Reporting Procedures: Streamline the process for users to report "weird" browser pop-ups, even if they didn't follow the instructions.
Proactive Intelligence
Operationalize Digital Risk Protection (DRP) tools to monitor for domain registrations that typo-squat your brand or third-party vendors your organization relies upon. Early detection of look-alike domains can allow for preemptive blocking before a campaign reaches your users.
References
- ClickFix Campaigns Targeting Windows and macOS by Recorded Future, March 25, 2026.
