Latest news with #ClickFix
Fox News
5 days ago
- Fox News
Malware targets Mac users with fake CAPTCHA and AMOS Stealer
ClickFix, a social engineering tactic that has been targeting both Windows and Mac users since early 2024, continues to evolve. Just last month, I reported on how attackers were using fake CAPTCHA prompts to trick Windows users into installing malware themselves. Now, that same trick is being turned against macOS. Cybersecurity researchers have uncovered a new campaign using ClickFix to deliver Atomic macOS Stealer (AMOS), a powerful information-stealing malware targeting Apple systems. Security researchers at CloudSEK have identified a new threat targeting macOS users through imitation and deception. The campaign uses a technique known as ClickFix to lure victims through fake online verification prompts. This time, attackers are spoofing Spectrum, a major telecom provider in the United States. They use fraudulent domains that closely resemble Spectrum's real support portals. These include misleading addresses like panel spectrum net and spectrum ticket net. Visitors to these sites are shown a standard-looking CAPTCHA box, asking them to verify their identity. When they do, the site displays a fake error message that says the CAPTCHA failed. Users are encouraged to click a button labeled "Alternative Verification." This triggers a command to be copied silently to their clipboard. What happens next depends on the user's operating system. On macOS, instructions guide the user to paste and run the command in Terminal. That command is actually a shell script designed to steal information and download malware. The script is particularly dangerous because it uses legitimate macOS system commands. It asks for the system password, harvests credentials and disables security protections. It then downloads AMOS. This is a known information stealer with a history of targeting Apple devices. The malware collects sensitive data like passwords, cryptocurrency wallet keys, browser autofill data and saved cookies. Researchers believe the campaign was created by Russian-speaking attackers. Clues include comments written in Russian found within the malware's code. Analysts also noted that the delivery infrastructure was poorly assembled. Mismatched instructions appeared across devices. For example, Linux users were shown Windows commands. Mac users were told to press keys that only exist on Windows machines. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide — free when you join. ClickFix is a social engineering method that has rapidly gained popularity among cybercriminals. It relies on users trusting what they see and blindly following simple instructions. In this campaign, the attacker's goal is to make the victim execute the infection process themselves. Once the user follows through, the system is compromised without needing a traditional exploit. Researchers believe ClickFix has been active since at least March 2024. I first reported on it in June 2024, when attackers used fake error messages from Google Chrome, Microsoft Word and OneDrive to push their payloads. Victims were shown prompts offering a "fix," which copied a malicious PowerShell command to their clipboard. They were then instructed to paste and run it in PowerShell or through the Run dialog. By November 2024, the method had evolved further. A new wave of attacks targeted Google Meet users, beginning with phishing emails that mimicked internal meeting invites. These emails contained links that redirected to fake Meet landing pages designed to look like they came from the victim's own organization. To protect yourself from the evolving threat of ClickFix malware, which continues to target users through sophisticated social engineering tactics, consider implementing these six essential security measures: 1. Be skeptical of CAPTCHA prompts: Legitimate CAPTCHA tests never require you to paste anything into Terminal. If a website instructs you to do this, it's likely a scam. Close the page immediately and avoid interacting with it. 2. Don't click links from unverified emails and use strong antivirus software: Many ClickFix attacks also start with phishing emails that impersonate trusted services like or Google Meet. Always verify the sender before clicking on links. If an email seems urgent or unexpected, go directly to the company's official website instead of clicking any links inside the email. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 3. Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password. 4. Keep devices updated: Regularly updating your operating system, browser, and security software ensures you have the latest patches against known vulnerabilities. Cybercriminals exploit outdated systems, so enabling automatic updates is a simple but effective way to stay protected. 5. Monitor your accounts for suspicious activity and change your passwords: If you've interacted with a suspicious website, phishing email, or fake login page, check your online accounts for any unusual activity. Look for unexpected login attempts, unauthorized password resets, or financial transactions that you don't recognize. If anything seems off, change your passwords immediately and report the activity to the relevant service provider. Also, consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed Password Managers of 2025 here. 6. Invest in personal data removal service: Consider using a service that monitors your personal information and alerts you to potential breaches or unauthorized use of your data. These services can provide early warning signs of identity theft or other malicious activities resulting from ClickFix or similar attacks. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Check out my top picks for data removal services here. Get a free scan to find out if your personal information is already out on the web Even experienced users can be tricked when malicious behavior is disguised as routine. The attack didn't just exploit a vulnerability in macOS, but also your familiarity with verification flows. As long as security instructions look like part of the usual experience, people will continue to run malicious code themselves. Mac users, like everyone else, need to treat every familiar-looking interface with a little more skepticism. Especially when it asks for your password. Do you think tech companies are doing enough to stop malware like ClickFix? Let us know by writing to us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels Answers to the most asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Tom's Guide
6 days ago
- Tom's Guide
New FileFix attack brings ClickFix social engineering to Windows File Explorer — how to stay safe
Developed by cybersecurity researcher, mr. d0x, a FileFix attack is a new version of the ever popular ClickFix social engineering tool. For those unfamiliar with ClickFix, it tricks users into executing malicious commands by convincing them that they need to 'fix' something in order to complete a task on their machines. As reported by BleepingComputer, this new FileFix method uses the Windows File Explorer address bar instead. Mr.d0x not only discovered the new method but has demonstrated that it can be used in attacks to target company employees via the same social engineering techniques that have proven highly successful with ClickFix. ClickFix attacks, which have surged in popularity recently, are browser-based and use a variety of tactics to get victims to click on a button in their browser that will copy a command to their Windows clipboard. The victim is then told to paste the command into PowerShell or prompted to perform an additional command in order to 'fix' the issue. This is frequently seen as a reCAPTCHA or an error that needs to be corrected via the Win+R Run Dialog. It has proven to be an extremely effective malware tool, used to spread dangerous infostealers and launch ransomware attacks. The FileFix update created by mr.d0x is similar to a typical ClickFix attack but pastes the command into Windows File Explorer, which many users are more comfortable using. File Explorer can also execute operating system commands which means it has a functional upload feature; the 'trick' portion of the attack is that it no longer requires an error or an issue as a lure and may simply appear as a notification for a shared file that the user needs to locate through File Explorer. FileFix is a phishing page that includes an 'Open Fixe Explorer' button that will launch File Explorer through the file upload functionality and copy the PowerShell command to the clipboard. The fake path is initially seen in the Fixe Explorer address bar, which hides the malicious command and then executes it. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. The ClickFix tactic that's currently being used in more and more in attacks is working due to the fact that it's able to bypass the best antivirus software and many other security tools. The reason for this is that victims end up doing most of the heavy lifting themselves as the hackers behind this and similar campaigns use social engineering to coerce them into taking action. The hackers behind this and similar campaigns use your preexisting knowledge and online habits to get you to do something you otherwise normally wouldn't. They might also use a sense of urgency to get you to visit one of the malicious sites used in this campaign. If you do see a verification pop-up with instructions, close the website immediately and whatever you do, don't interact with it or follow its instructions. Being asked to open a Terminal or Command Prompt window on your computer is a major red flag. However, not everyone is as tech savvy which is why you should share what you've learned with both older and younger family members, friends and colleagues to help keep them safe, too.
Techday NZ
19-06-2025
- Techday NZ
ReliaQuest report exposes rise of social engineering cyber threats
ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
Forbes
17-06-2025
- Forbes
Your Passwords Are At Risk — New Windows XFiles Attack Confirmed
Windows passwords come under attack from XFiles threat. Two things that are guaranteed to strike fear into the hearts of anyone concerned about cybersecurity attacks are Windows and passwords. Combine the two, and you have the basis of what can be something of a security nightmare. With Microsoft account password spraying attacks and warnings over opening specific Outlook files in the news as Windows email, passwords and 2FA codes come under attack, this is kind of understandable. Now, with confirmation of a password-stealing threat called XFiles, is there even more cause for concern? The truth, as they say, is out there. A group of self-proclaimed elite threat hunters and cyber analysts has issued a warning that attackers deploying a malware payload called Xfiles, also known as DeerStealer, are targeting Windows users in order to compromise passwords that can then be sold on dark web criminal marketplaces. A June 12 report published by the eSentire Threat Response Unit has revealed how, throughout May, threats actors have been using the XFiles payload in order to steal Windows passwords that can then be sold by a dark web user known only as LuciferXfiles. The methods employed are sadly all too familiar, involving ClickFix attacks during the initial access process. These tech support scams combine seemingly genuine offers of help regarding security issues surrounding account activity with fake ID Captcha prompts that involve executing malicious commands using the Windows Run prompt. Should the victim get to this stage, they will then download something called HijackLoader, often obfuscated using an encrypted PNG image, that downloads the real payload, the XFiles infostealer malware to compromise passwords, browser 2FA session cookies, instant messages and more. Read the full report for a detailed technical analysis of the entire attack chain. When it comes to mitigation, however, the eSentire TRU advice is clear: I would have to add to this that opening the Windows Run prompt and pasting the clipboard's content, which is how ClickFix attacks work, is hardly conducive to good security practice or, frankly, common sense. I mean, how many Captcha or I Am Not A Robot tests have ever asked you to do that? The answer is zero. Protect your passwords by not being tricked into doing something that is so obviously out of the ordinary.
Techday NZ
09-06-2025
- Business
- Techday NZ
ClickFix phishing surge spoofs Booking.com to target hotels
Research from Cofense Intelligence has identified a series of phishing campaigns targeting hotel chains in the accommodation and food services sector. These campaigns have been ongoing since November 2024, with a significant increase observed in March 2025, accounting for 47% of the total campaign volume. The phishing emails impersonate directing recipients to a fake CAPTCHA website that prompts them to run a malicious script. This method of malware delivery, known as a ClickFix attack, is designed to convince users to execute scripts which install remote access trojans (RATs) or information-stealing malware. ClickFix attacks are distinguished by their use of fake CAPTCHA screens that convincingly mimic brands such as and Cloudflare. When users interact with these fake verifications, they are instructed to carry out steps, such as using Windows keyboard shortcuts, to inadvertently run a malicious script. This script is commonly delivered through users' clipboards, typically triggered by a specific button on the fraudulent site. Analysis from Cofense Intelligence shows that 75% of campaigns using fake CAPTCHAs employed spoofing templates, while other less frequent variants mimic Cloudflare Turnstile CAPTCHAs and cookie consent banners. Among these, 64% delivered RATs, 47% information stealers, and 11% were observed distributing both types of malware. This campaign has been increasing in popularity since November 2024, with 47% of total campaign volume being from March 2025 alone. 75% of all active threat reports (ATRs) with fake CAPTCHAs used ClickFix templates. Other notable but rare ClickFix templates include Cloudflare Turnstile-spoofing and cookie consent banner-styled templates. 64% of campaign ATRs delivered RATs, 47% of campaign ATRs delivered information stealers, and 11% of campaign ATRs were seen delivering both RATs and information stealers. 53% of all campaign ATRs deliver XWorm RAT, making it the most popular RAT used in these campaigns. Pure Logs Stealer (19% of ATRs) and DanaBot (14% of ATRs) are the most popular information stealers for these campaigns. The most commonly observed malware is the XWorm RAT, present in 53% of the analysed campaigns. Other malware includes Pure Logs Stealer and DanaBot, making up 19% and 14% of cases, respectively. The content and tone of the phishing emails have evolved since the campaign's inception. Earlier messages featured generic or vague language, whereas more recent examples exploit concerns over guest satisfaction and incorporate references to specific guest reservations. These tactics are designed to elicit a response and drive the recipient to interact with malicious links. Some emails specify that the link will only function on Windows, and the recipients who access the site on other operating systems receive a message indicating this limitation. The malicious scripts are typically delivered as PowerShell commands or Microsoft HTML applications, which, once executed, can install RATs or steal data from victim devices. ClickFix is described as a technique for persuading victims to run malicious Windows scripts themselves, often by pasting code into the Windows Run command prompt. Sometimes, these scripts are obfuscated to appear as verification codes, increasing the likelihood that the user will not recognise them as harmful. In addition to fraudulent CAPTCHA screens, recent campaigns include cookie consent banners that prompt users to run malicious scripts under the pretext of accepting cookies.
