RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: clickfix (4 articles)Clear
threat
2026-04-28

North Korean hackers are recording fake Zoom meetings with real crypto executives, then using the footage and AI-generated lookalikes to scam the next target

North Korea's BlueNoroff group has built a self-reinforcing deepfake pipeline that turns each victim into the lure for the next attack. Arctic Wolf documented the pattern: attackers send a Calendly invite that looks like a normal business meeting, then quietly swap the Google Meet link for a typo-squatted Zoom URL. When the target joins, a fake Zoom interface secretly records their webcam feed while a clipboard-injection attack drops malware. The captured footage is mixed with AI-generated lookalikes (built using ChatGPT for synthetic portraits) and recycled into the next attack. Arctic Wolf found 950 files in BlueNoroff's media server. 80% of identified targets are crypto executives.

bluenorofflazarusapt38dprkdeepfakefake-zoomclickfixcryptocurrencyarctic-wolfcalendlysocial-engineering
Check
Brief every executive in your organization that any 'Zoom SDK update' prompt asking them to copy and paste commands into their terminal during a meeting is a North Korean malware drop.
Affected
Cryptocurrency executives, Web3 founders, and CEOs at fintech and blockchain companies - 45% of identified targets are CEOs and founders, 80% are in crypto or adjacent sectors. Anyone whose webcam footage was exfiltrated by BlueNoroff is now appearing as a fake meeting participant targeting their professional network.
Fix
Train executives that any 'SDK update' prompt during a meeting is hostile - real Zoom and Teams never ask users to paste commands into terminals. Verify out-of-band before joining any meeting from an unsolicited Calendly link. Block known BlueNoroff infrastructure (Petrosky Cloud LLC AS400897 and the 80 typosquat domains in Arctic Wolf's IoCs). Consider a dedicated meeting device for high-risk executives.
threat
2026-04-24

Lazarus 'Mach-O Man' macOS malware kit hitting fintech and crypto execs through fake Telegram meeting invites and ClickFix terminal commands

ANY.RUN and Dark Reading published research on Mach-O Man, a new macOS malware kit Lazarus is deploying against fintech and crypto executives. The chain begins on Telegram with what looks like a legitimate meeting invite from a known contact, leading to a fake Zoom/Teams/Meet page that displays a fake 'connection issue' and instructs the executive to copy-paste a command into Mac Terminal. That ClickFix command grabs credentials, browser sessions, and Keychain data and exfiltrates over Telegram bot APIs. Lazarus has used the same template across the Drift and KelpDAO compromises, totaling more than $500M stolen in two weeks.

lazarusdprkmach-o-manmacosclickfixtelegramfintechcryptoany-runsocial-engineering
Check
Brief executive, finance, and treasury staff who use Telegram for business communication this week. The lure is a meeting invite from someone they trust, not a cold approach.
Affected
macOS users in executive, finance, business development, and partner-relations roles - particularly those who use Telegram for business. The technique works because the user runs the command themselves, bypassing most preventive controls including macOS endpoint protection. Mach-O Man is not Lazarus-only; other criminal groups have already adopted the kit.
Fix
Train executives never to copy-paste a 'fix' command into Terminal at a meeting page's request, regardless of how legitimate the invite looks. Log and alert on Terminal launches that fetch and execute remote content via curl, wget, osascript, or bash. Hunt for processes in tight infinite loops with Keychain access. Consider Lockdown Mode for high-risk roles.
defense
2026-03-30

macOS Tahoe 26.4 blocks ClickFix paste attacks in Terminal - update your Mac fleet now

Apple shipped an undocumented security feature in macOS Tahoe 26.4 that directly targets ClickFix attacks - the social engineering technique behind the Infinity Stealer campaign we covered last week. When a user tries to paste a potentially harmful command into Terminal, macOS now intercepts it with a warning before anything executes. The feature only covers Apple's built-in Terminal app, not third-party alternatives like iTerm2. A 'Paste Anyway' option remains for power users.

applemacosclickfixterminalsocial-engineering
Check
Check if your Mac fleet is running macOS Tahoe 26.4 or later.
Affected
Any macOS user on versions prior to 26.4 who may encounter ClickFix social engineering attacks via fake CAPTCHA pages or tech support sites.
Fix
Update to macOS Tahoe 26.4. Push the update via MDM for managed fleets. Train staff to never paste commands from websites into Terminal regardless of the prompt - the protection only covers Terminal.app, not third-party terminals.
threat
2026-03-28

New Infinity Stealer malware targets macOS through fake Cloudflare CAPTCHA pages

A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.

macosinfostealerclickfixsocial-engineering
Check
Alert your team - especially Mac users - to never paste unknown commands into Terminal from websites.
Affected
Any macOS user who encounters a Cloudflare-style CAPTCHA asking them to open Terminal.
Fix
Train staff to recognize fake CAPTCHA pages. Block the domain update-check[.]com. Run endpoint detection on macOS devices.