Threat Research

ClickFix Strategy: The Power of Detection

SekoiaIO

ClickFix is a social-engineering tactic that lures users with fake web pages (e.g., Google Meet or fake CAPTCHAs) to copy and execute PowerShell or mshta commands that download and run payloads like Amos Stealer on Windows and macOS. Observed since May 2024 and linked to actors such as TA571 and APT28, it abuses legitimate tools (mshta.exe, bitsadmin.exe, PowerShell) and multiple C2 domains, requiring endpoint and network correlation for reliable detection. #ClickFix #AmosStealer #TA571 #APT28

Keypoints

  • ClickFix tricks users into executing clipboard-injected commands via deceptive web pages (Google Meet, fake reCAPTCHA), leading to remote payload download and execution.
  • The tactic targets both Windows (mshta, PowerShell, bitsadmin chains) and macOS (direct .dmg downloads installing Amos Stealer).
  • Delivery vectors include compromised sites, redirection chains from illicit sites, and abuse of trusted platforms like GitHub issues to lure developers.
  • Detection opportunities focus on process-tree anomalies (mshta → bitsadmin/PowerShell), suspicious PowerShell network activity, and file operations in AppDataTemp.
  • Network-based detection can spot the ClickFix pattern by correlating small instruction fetches followed shortly by large binary downloads from the same host.
  • Several intrusion sets and brokers (TA571, APT28) have adopted ClickFix, making continuous tracking and multi-source detection essential.

MITRE Techniques

  • [T1203] Execution – Exploits user interaction with malicious web content to execute code. [‘Exploits user interaction with malicious web content to execute code.’]
  • [T1071] Command and Control – Uses multiple command-and-control domains to maintain communication with compromised systems. [‘Utilizes multiple command and control domains to maintain communication with compromised systems.’]
  • [T1003] Credential Dumping – Retrieves user credentials from compromised systems as part of follow-on activity. [‘Retrieves user credentials from compromised systems.’]
  • [T1041] Exfiltration Over C2 Channel – Transfers data from the victim’s system to an external location controlled by attackers. [‘Transfers data from the victim’s system to an external location.’]
  • [T1105] Remote File Copy – Downloads files from remote locations to the compromised host (bitsadmin, PowerShell). [‘Transfers files from a remote location to the compromised system.’]
  • [T1059] Command and Scripting Interpreter – Executes malicious scripts (PowerShell, VBScript via mshta) to perform the attack chain. [‘Executes scripts to perform malicious actions on the target system.’]

Indicators of Compromise

  • [Domain] public IP lookup / telemetry – api.ipify[.]org (used to retrieve victim public IP), and multiple unspecified C2 domains observed in the campaign.
  • [File extension / payload] delivery artifacts – .dmg (Amos Stealer on macOS), .zip archives used to deliver Windows payloads and resulting .exe / .dll files.
  • [Processes / binaries] abused legitimate tools – mshta.exe, bitsadmin.exe, powershell.exe (used as parent/child processes in infection chains).
  • [File path] persistence / staging location – files saved under AppDataLocalTemp (payloads and extracted binaries stored and executed there).
  • [Web pages / pages] lure pages and delivery vectors – fake Google Meet and fake reCAPTCHA pages, and exploitation of GitHub issues / redirection chains from cracked-software or streaming sites.

————
ClickFix deceives users with believable web UI elements (fake meeting or CAPTCHA pages) to guide them through keyboard shortcuts that paste and run a malicious command from the clipboard. That command typically invokes mshta or PowerShell to fetch a small instruction script and then a larger payload; on macOS the flow can download a .dmg (Amos Stealer), while on Windows it often uses mshta → VBScript → bitsadmin or PowerShell → download and execute from AppDataTemp.

Detection is most reliable when endpoint and network telemetry are correlated: look for mshta child processes launching bitsadmin or PowerShell with URLs on the command line, a PowerShell user-agent making a very small HTTP GET followed shortly by a large binary download, and file writes to AppDataTemp followed by execution. Because the commands are simple (IWR/IEX or encoded base64), rules that combine process-tree, file activity and temporal network patterns (e.g., instruction fetch then payload fetch within minutes) reduce false positives.

Defenders should monitor for the specific process-parent relationships (mshta → bitsadmin/wscript/powershell), unusual use of BITS to download executables, and low-volume instruction fetches from rarely seen domains or domains mimicking Google/Zoom. Maintain threat intelligence feeds for actor-linked indicators (TA571, APT28) and update detection rules as ClickFix delivery chains evolve to stay ahead of these social-engineering campaigns.
————

Read more: https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/