ClickFix and Cache Smuggling Techniques Used for Malware Delivery
Attackers are leveraging ClickFix-style phishing pages to deliver malware by exploiting browser cache mechanisms and social engineering tactics. In these campaigns, malicious websites masquerade as Captcha tests and prompt users to execute clipboard-injected commands via the Windows Run dialog, enabling the execution of arbitrary code. A notable evolution of this technique involves using cache smuggling, where the initial loader extracts the second-stage payload directly from the browser's cache, bypassing the need for direct web requests and evading some detection mechanisms.
Recent campaigns have combined these methods with the deployment of remote access tools such as NetSupport RAT, using ClickFix lures to infect hosts and establish covert access. Multiple threat clusters have been observed utilizing remote monitoring and management (RMM) software for persistent, stealthy access to compromised systems. These developments highlight the increasing sophistication of social engineering and technical delivery mechanisms in modern malware campaigns, emphasizing the need for heightened user awareness and advanced detection strategies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CIS publishes analysis of ClickFix as an adaptive social engineering technique
The Center for Internet Security published an analysis describing ClickFix as an adaptive social engineering technique, documenting the tactic for defenders and raising awareness of its use in intrusion activity. This marked an additional public technical characterization of the method.
Security researchers report NetSupport RAT campaign using ClickFix lures
Security Online reported a campaign in which threat clusters used ClickFix-style social engineering to infect victims with NetSupport RAT and abused remote management tools for covert access. The report publicly tied ClickFix lures to multiple clusters and a specific malware/access pattern.
Researchers document EXIF smuggling for passive malware delivery
A MalwareTech blog post described a technique dubbed 'EXIF smuggling,' in which malware payloads can be passively downloaded via image caching and later reconstructed from image metadata. The publication represents the public disclosure of the technique and its potential abuse for malware delivery.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
NetSupport RAT Campaign Abuses ClickFix to Infect Hosts; 3 Threat Clusters Use RMM for Covert Access
securityonline.info
Open sourceClickFix: An Adaptive Social Engineering Technique
cisecurity.org
Open sourceLook At This Photograph - Passively Downloading Malware Payloads Via Image Caching
malwaretech.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix and FileFix Social Engineering Techniques for Malware Delivery
Cybercriminals are leveraging social engineering techniques known as ClickFix and its new variant, FileFix, to trick users into executing malicious commands on their Windows systems. The ClickFix method involves compromised websites displaying fake CAPTCHA-style pages that prompt users to "verify you are human." When users interact with these pages, malicious content is injected into their clipboard, and they are instructed to paste and run this content via the Windows Run dialog, leading to the installation of remote access tools such as NetSupport RAT. The SmartApeSG campaign is one example actively using this approach, with infection chains triggered under specific conditions on compromised sites. The FileFix variation, recently observed in the wild, shifts the attack vector by instructing users to paste malicious commands into the Windows File Explorer address bar instead of the Run dialog. This subtle change exploits user familiarity with File Explorer, making the attack less suspicious and increasing the likelihood of success. Both techniques rely on phishing emails or fake service pages to lure victims, and the end goal is typically the deployment of remote access malware. Security teams should be aware of these evolving tactics and educate users about the risks of following unsolicited instructions involving system dialogs or file paths.
Apr 6, 2026
ClickFix Malware Attacks Employ Advanced Social Engineering and Multi-OS Support
Attackers have significantly upgraded the ClickFix malware delivery technique, incorporating sophisticated social engineering tactics inspired by online retail sites. Recent campaigns feature embedded tutorial videos, countdown timers, and dynamic counters such as "users verified in the last hour" to create a sense of urgency and legitimacy, closely mimicking trusted services like Cloudflare's bot checks. The malicious pages automatically detect the visitor's operating system and provide tailored instructions, even copying the necessary malicious code to the user's clipboard via JavaScript, making the infection process seamless and convincing for victims. ClickFix lures are distributed through multiple channels, including email, instant messaging, social networks, in-app phishing, and especially malvertising on platforms like Google Search, YouTube, and Steam. The primary objective is to trick users into pasting and executing malicious code, which typically results in the deployment of information-stealing malware. According to Push Security and the 2025 Microsoft Digital Defense report, ClickFix has become the most prevalent initial access method, accounting for nearly half of observed attacks in the past year. The evolution of these attacks, with multi-OS support and enhanced deception techniques, underscores the growing sophistication and reach of social engineering threats in the current threat landscape.
Mar 21, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026