Malware Delivery Via Social Engineering Soars with ClickFix Technique
A new threat has emerged in the world of cybersecurity, with social engineering technique ClickFix becoming the dominant method for malware delivery. In just two years, this tactic has gone from an emerging strategy to a widespread favorite among threat actors. According to research by ReliaQuest, which analyzed threat activity from March 1 to May 31, ClickFix outpaced all other methods in initial access and defense-evasion categories.
ClickFix works by tricking targeted individuals into copying and pasting malicious commands into system dialogs like Windows Terminal. Attackers achieve this by presenting users with error messages or verification prompts that include text-based commands to “fix” whatever issue is presented. This approach bypasses traditional file scanning and email-based defenses, making it a highly effective method for malware delivery.
The technique has evolved over the past two years, with several variants emerging. One notable example is CrashFix, which continually crashes users’ browsers and presents malicious commands as a remedy. Another variant uses search engine optimization (SEO) poisoning to weaponize AI models. ReliaQuest also observed attacks using a combination of these tactics, making it increasingly difficult for security teams to detect and respond.
One significant finding from the research is that ClickFix activity has expanded to macOS systems. This means that no longer can this technique be treated as a special case; instead, training, detection, and triage should run continuously on both Windows and macOS platforms.
ReliaQuest researchers also observed that threat actors have shifted their tactics in recent months. Instead of using fake versions of pirated or cracked software to lure victims into installing malware, attackers are now using applescript:// links that automatically open Script Editor, a scripting app built into macOS. This change was likely designed to bypass the warning Apple added in macOS 26.4, which alerts users when they paste commands into the Terminal command-line app.
The use of ClickFix has driven nearly 28% of defense-evasion activity through command and file obfuscation techniques. The cybersecurity vendor highlighted a specific ClickFix loader designed to deliver “Deepload” malware, which uses AI-generated obfuscation to hide the malware’s logic under thousands of variable assignments that look like routine scripting.
In addition, ReliaQuest observed that ClickFix attackers are targeting developers with a variety of effective vectors. For example, traditional fake CAPTCHA and verification prompts remain active on Windows, while researchers also observed phony software installation guides targeting macOS users.
To mitigate the risk of ClickFix attacks, security teams should be aware of the following:
* Continuous monitoring and response coverage is essential for both Windows and macOS systems.
* Threat actors are using a variety of effective vectors to gain initial access, including traditional fake CAPTCHA and verification prompts, as well as malvertising campaigns via Google Ads that masquerade as developer tools.
* Security teams should be prepared to adapt quickly to new variants of ClickFix attacks, which can emerge rapidly due to the use of AI-generated obfuscation.
By staying vigilant and proactive in their defense strategies, security teams can help prevent the spread of malware delivered through the ClickFix technique.
Source: Dark Reading — 2026-07-01