{"id":24136,"date":"2026-04-21T08:00:40","date_gmt":"2026-04-21T01:00:40","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&p=24136"},"modified":"2026-04-21T21:39:06","modified_gmt":"2026-04-21T14:39:06","slug":"you-are-the-security-vulnerability-clickfix-is-causing-users-to-install-malware-themselves","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/you-are-the-security-vulnerability-clickfix-is-causing-users-to-install-malware-themselves\/","title":{"rendered":"You are the “security vulnerability”: ClickFix is causing users to install malware themselves."},"content":{"rendered":"

Overview<\/span><\/h2>\n

Amid increasingly sophisticated cyberattacks, a worrying trend is emerging: attackers no longer need to exploit system vulnerabilities\u2014they exploit the users themselves. The ClickFix campaign clearly demonstrates this shift.<\/span><\/p>\n

Discovered by Recorded Future, ClickFix is a social engineering attack technique where victims are tricked into performing seemingly harmless actions\u2014like copying and running a script\u2014but actually end up inadvertently activating malware on their own devices. No exploit or complex malware is needed from the start; the entire attack chain begins with a simple user action.<\/span><\/p>\n

What makes ClickFix dangerous is its ability to bypass traditional defense mechanisms. When users themselves execute commands, security solutions like antivirus or EDR often struggle to detect this behavior as malicious. Furthermore, current ClickFix campaigns have expanded from Windows to macOS, clearly indicating a trend toward increasingly sophisticated cross-platform attacks.<\/span><\/p>\n

Execution flow<\/span><\/h2>\n

\"1<\/a><\/p>\n

ClickFix campaigns typically follow a clearly structured attack process consisting of four consecutive stages\u2014each step is optimized to exploit user behavior and evade traditional defense mechanisms.<\/span><\/p>\n

Lure \u2013 Entice with Fake Legitimate Interfaces<\/strong>\u00a0The attack chain begins by deceiving victims through familiar interfaces like fake CAPTCHAs or “human verification” systems. These pages are intricately designed to appear trustworthy and urgent, making users believe they need to perform a simple action to proceed.<\/span><\/p>\n

Execution \u2013 Activation through User Interaction (LotL)<\/strong>\u00a0After being convinced, victims are instructed to copy and execute an obfuscated script. These commands are typically run via: Run (Windows) or Terminal (Windows\/macOS).<\/span><\/p>\n

Remote Ingress \u2013 Download payload from control infrastructure<\/strong>\u00a0When the command is executed, the system establishes an external connection to download malicious components (payload staging). This process typically uses: Embedded shell, Remote download script.\u00a0In-Memory Execution \u2013 Execute without leaving traces<\/strong>\u00a0In the final stage, the malware runs directly in memory (in-memory execution) instead of being written to disk. This minimizes forensic traces and helps avoid detection by file-based security tools.<\/span><\/p>\n

Detailed technical analysis<\/span><\/h2>\n

The ClickFix campaign is divided into several clusters with different approaches and techniques, demonstrating a clear level of targeting and high sophistication in payload deployment.<\/span><\/p>\n

Cluster 1 \u2013 QuickBooks (Targeting accounting users)<\/span><\/h3>\n

This cluster focuses on QuickBooks users, primarily accounting or finance personnel. The attacker uses fake pages requesting “system error fixes” to trick users into executing commands.<\/span><\/p>\n

\"2<\/a><\/p>\n

Here, users manually launch PowerShell with Admin rights and run a script designed by the attackers.<\/span><\/p>\n

\"3<\/a><\/p>\n

Once the victim executes the command, the malicious payload\u00a0\"bibi.php\"<\/code>\u00a0is immediately saved in the\u00a0\"%TEMP%\"<\/code>\u00a0directory as script.ps1. This step initiates the installation process of NetSupport RAT.<\/span><\/p>\n

\"4<\/a><\/p>\n

This payload continuously connects to the C2 address: gologpoint[.]com – 62[.]164[.]177[.]230 to receive commands and download other malicious files. During the analysis, experts recorded four additional malicious files, including<\/span><\/p>\n\n\n\n\n\n\n\n\n
Filename<\/strong><\/span><\/th>\nSHA-256<\/strong><\/span><\/th>\n<\/tr>\n<\/thead>\n
at.7z<\/span><\/td>\nc0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50<\/span><\/td>\n<\/tr>\n
lnk.7z<\/span><\/td>\n5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db<\/span><\/td>\n<\/tr>\n
7z.exe<\/span><\/td>\n43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87<\/span><\/td>\n<\/tr>\n
7z.dll<\/span><\/td>\nb17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

After NetSupport RAT is installed, the attacker can remotely control the computer, record the screen, manipulate the keyboard, and install additional malware. At this stage, the attacker also extracts all sensitive customer information, including customer details, transaction history, tax information, and financial data.<\/span><\/p>\n

\"5<\/a><\/p>\n

Cluster 2 \u2013 Booking.com (Fake CAPTCHA Trap)<\/span><\/h3>\n

This cluster targets users of booking services like Booking.com, using fake CAPTCHA techniques to increase credibility. Here, users are asked to verify “NOT A ROOT.”<\/span><\/p>\n

\"6<\/a><\/p>\n

Similar to Cluster 1, instead of a real CAPTCHA, the page designed by the attacker will instruct you to open PowerShell and run a command containing the parameter: “-ExecutionPolicy Bypass”.<\/span><\/p>\n

\"7<\/a><\/p>\n

With this malicious command, the attacker can disable PowerShell’s security policy, allowing them to download and execute malicious scripts remotely.<\/span><\/p>\n\n\n\n\n\n\n\n\n
Filename<\/strong><\/span><\/th>\nSHA-256<\/strong><\/span><\/th>\n<\/tr>\n<\/thead>\n
at.7z<\/span><\/td>\n397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8<\/span><\/td>\n<\/tr>\n
lnk.7z<\/span><\/td>\n5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db<\/span><\/td>\n<\/tr>\n
7z.exe<\/span><\/td>\n43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87<\/span><\/td>\n<\/tr>\n
7z.dll<\/span><\/td>\nb17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Throughout the execution process, the malware continuously communicates with the C2 to receive commands and store the stolen information.<\/span><\/p>\n

\"\"<\/span><\/p>\n

As mentioned, the danger here is that users believe they are performing a security step, but in reality, they are opening the door for malware to run.<\/span><\/p>\n

Cluster 3 \u2013 Birdeye (Targeting Small Businesses)<\/span><\/h3>\n

This cluster targets small businesses using review platforms like Birdeye. Here, the fake page contains JavaScript designed to evade automated scanning systems (sandbox, crawler).<\/span><\/p>\n

\"\"<\/span><\/p>\n

\"\"<\/span><\/p>\n

In this section, the attacker also runs a PowerShell command written in an “obfuscated” form to conceal the true behavior. This is a common technique in cyberattacks or malware to load and execute scripts remotely.<\/span><\/p>\n

\"\"<\/span><\/p>\n

Its main purpose is to download malware remotely from the address\u00a0https:\/\/alababababa.cloud\/cVGvQio6.txt<\/a>\u00a0and then directly execute the downloaded content on the victim’s computer.<\/span><\/p>\n

\"\"<\/span><\/p>\n

Cluster 4 & 5 \u2013 macOS (Exploiting Mac Users)<\/span><\/h3>\n

These clusters focus on macOS users\u2014who are typically less targeted and therefore more likely to let their guard down.<\/span><\/p>\n

\"\"<\/span><\/p>\n

Users are instructed to run the curl command in Terminal: “curl -kfsSL “. The -k parameter is used to bypass TLS certificate checks (potentially a fake server), while the -fsSL parameters download content “silently,” without displaying errors.<\/span><\/p>\n

\"\"<\/span><\/p>\n

The payload will be concealed using hex encoding and base64 encoding, then immediately decoded and executed directly on the machine. After running, the script will download and execute MacSync Stealer. This malware is tasked with stealing browser information, cookies, credentials, and crypto wallet data.<\/span><\/p>\n

A notable aspect of this infection chain is its ability to attack directly through the Terminal (a trusted interface), cleverly exploiting the perception that “Mac is safer than Windows.”<\/span><\/p>\n

Conclusion<\/span><\/h2>\n

The ClickFix campaign demonstrates an effective combination of social engineering and cross-platform malware distribution, targeting both Windows and macOS through fake brands like QuickBooks, Booking, or Apple. By tricking users into executing malicious commands themselves, attackers can bypass traditional security mechanisms, deploying malware such as NetSupport RAT and Odyssey Stealer to gain control and steal data.<\/span><\/p>\n

Recommendation<\/span><\/h2>\n

Recognize and Avoid ClickFix Scams<\/strong><\/span><\/p>\n