ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using ClickFix social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by CERT Polska (cert.pl), victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a PowerShell command via Win+R; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to enterprise-wide compromise, including deployment of secondary malware such as Latrodectus and Supper for data theft, lateral movement, and potential ransomware staging.
A separate ClickFix operation targeted macOS developers by cloning the Homebrew site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from raw.homabrews.org instead of raw.githubusercontent.com, leading to Cuckoo Stealer deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at 5.255.123.244. ClickFix was also observed as the initial execution mechanism for the resurfaced Matanbuchus 3.0 MaaS loader, which uses deceptive copy/paste prompts and silent MSI execution (via msiexec) to deliver a new payload, AstarionRAT, enabling capabilities including credential theft and SOCKS5 proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Enterprise ClickFix attack escalates to Latrodectus and Supper payloads
Following initial access in the Polish organization case, attackers deployed secondary payloads including Latrodectus and Supper to support data exfiltration, lateral movement, and possible ransomware activity. The chain used DLL side-loading with igfxSDK.exe and a malicious wtsapi32.dll, along with anti-analysis techniques.
CERT Polska observes enterprise ClickFix intrusion in Polish organization
CERT Polska identified suspicious traffic from a compromised host at a large Polish organization and traced it to a ClickFix lure that caused a user to run malicious PowerShell from the Windows Run dialog. The resulting infection chain downloaded a dropper and rapidly established a foothold.
ClickFix campaign targets macOS developers with Cuckoo Stealer
Attackers used typosquatted Homebrew-themed sites to trick macOS developers into pasting a malicious Terminal command, leading to Cuckoo Stealer infection. The malware validated stolen passwords, established LaunchAgent persistence, and stole data from browsers, Keychain, wallets, and messaging apps.
ClickFix campaign deploys AstarionRAT via silent MSI chain
The revived Matanbuchus 3.0 campaign used ClickFix social engineering to trick users into running malicious commands, then leveraged msiexec, DLL side-loading, and in-memory execution to deliver AstarionRAT. Huntress reported operators could move laterally in about 40 minutes and target domain controllers.
Matanbuchus 3.0 resurfaces after nearly a year inactive
Matanbuchus, a malware-as-a-service loader, reappeared in February 2026 with a rewritten v3.0 release and subscription pricing reportedly reaching $15,000 per month. The new activity marked the loader's return after roughly a year of inactivity.
Attackers register homabrews.org for fake Homebrew campaign
A key typosquatted domain, homabrews.org, was registered and later used to mimic the official Homebrew workflow in a ClickFix campaign targeting macOS developers. The fake install flow swapped the expected download host to attacker-controlled infrastructure.
Certificates for ClickFix macOS typosquat infrastructure appear
Infrastructure later linked to the macOS ClickFix campaign used certificates dating back to July 2025, indicating attacker preparation and staging months before public reporting. Analysts tied multiple related typosquat domains to shared infrastructure at 5.255.123.244.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Fake CAPTCHA (ClickFix) Attack Chain Leads to Enterprise‑Wide Malware Infection in Organisations - Cyber Security News
cybersecuritynews.com
Open sourceClickFix Abuses Legitimate Homebrew Workflow to Deploy Cuckoo Stealer on macOS for Credential Harvesting
cybersecuritynews.com
Open sourceMatanbuchus 3.0 Returns with ClickFix Social Engineering and Silent MSI Installations to Deploy AstarionRAT
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
Mar 21, 2026
ClickFix Social-Engineering Technique Using Fake CAPTCHA to Trigger Manual Command Execution
A **ClickFix**-style malware campaign has been observed using **fake CAPTCHA** pages on compromised websites to trick users into **manually executing** malicious commands, enabling initial access while evading controls that focus on downloaded files. In the reported activity, victims are prompted to copy a **PowerShell** command and run it themselves; the script then downloads additional stages from attacker infrastructure (including `91.92.240.219`), verifies user interaction by checking clipboard activity, and proceeds through a multi-stage infection chain. The payload is an **information stealer** targeting data from **25+ web browsers**, cryptocurrency wallets (e.g., *MetaMask*), and enterprise VPN configurations, with checks for virtualized environments and security tooling prior to exfiltration. Separately reported threat activity in the same time window includes **UnsolicitedBooker** targeting Central Asian telecoms with phishing-delivered backdoors (**LuciDoor** and **MarsSnake**) and **APT28** running *Operation MacroMaze*, which uses weaponized Office documents and `INCLUDEPICTURE` fields pointing to `webhook[.]site` URLs as a tracking mechanism and to support follow-on macro-based payload delivery. A video-style weekly briefing also mentions an evolution of ClickFix where an initial command uses `nslookup` and parses the response for execution, but it is a multi-topic roundup rather than a primary source on the fake-CAPTCHA infostealer campaign; a malware newsletter roundup is likewise a link collection and does not add specific, corroborating details about the ClickFix CAPTCHA infostealer operation.
May 26, 2026
ClickFix Social-Engineering Technique Used to Trick Users Into Running Malware
Multiple reports highlighted **ClickFix**, a social-engineering technique that uses fake verification or update prompts to coerce users into manually executing attacker-supplied commands, as a recurring initial access method in recent malware activity. In the **OCRFix** botnet campaign, victims were lured to a typosquatted site impersonating *Tesseract OCR* (`tesseract-ocr[.]com` lookalike) via SEO poisoning and reported **LLM poisoning** (chatbot recommendations pointing users to the malicious site). The site presented a fake CAPTCHA that copied an obfuscated PowerShell command to the clipboard and instructed the user to paste it into PowerShell; this led to retrieval of a malicious MSI (`98166e51.msi`) from `opsecdefcloud[.]com`, after which victims were redirected to the legitimate GitHub project to reduce suspicion. The loader then queried a **BNB TestNet** smart contract to obtain C2 details, using **EtherHiding** (blockchain-hosted instructions) to make takedown and disruption more difficult. A separate investigation described a **Chrome extension supply-chain compromise** of *QuickLens – Search Screen with Google Lens* (7,000+ users), where attackers acquired the extension and shipped an update embedding malicious scripts and elevated permissions to enable credential/crypto theft and staged payload delivery; the campaign also incorporated a **ClickFix** flow that masqueraded as a legitimate browser update to trick users into executing malicious code. Other items in the set covered different topics: an AiTM phishing-kit attribution case study (focused on reverse-proxy phishing infrastructure rather than ClickFix), research on **Funnull/Fangneng CDN** as cybercrime-enabling infrastructure and related supply-chain activity, and Zscaler reporting on **Dust Specter APT** targeting Iraqi government officials with password-protected RAR delivery and custom malware modules—none of which were primarily about ClickFix.
Mar 21, 2026