Security researchers reported that ClickFix has expanded into an industrialized malware-delivery ecosystem that relies on social engineering rather than software exploits. Attackers use fake CAPTCHA checks, browser updates, meeting errors, and verification prompts to trick users into manually running attacker-supplied commands through trusted tools such as PowerShell, mshta, curl, Windows Run, or macOS Terminal. ReversingLabs said the ecosystem now supports a wide range of payloads, including Lumma Stealer, DarkGate, XWorm, AsyncRAT, NetSupport, and SectopRAT, while related variants such as CrashFix, FileFix, PromptFix, and ConsentFix continue to emerge.
The activity is being amplified through large-scale web compromise campaigns. Reports linked the DriveSurge actor to active ClickFix and FakeUpdates operations abusing thousands of compromised websites to distribute malware, while a separate SlowMist investigation documented a Google Sites-hosted phishing campaign targeting Web3 users on macOS with a fake community application flow that pushed victims to download a .scpt file or run a Base64-encoded Terminal command. That infection chain delivered a Mach-O stealer resembling AMOS (Atomic macOS Stealer), which harvested browser credentials, cookies, Keychain data, Apple Notes, Telegram Desktop data, and cryptocurrency wallet files before archiving data to /tmp/lksopo.zip and exfiltrating it to 86.54.25.213. Researchers said structural YARA detection of lure pages is currently one of the most effective ways to identify these campaigns, which often evade traditional AV and EDR controls because they depend on legitimate tools and user-approved execution.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Reporting identified a threat actor tracked as DriveSurge as using ClickFix and FakeUpdates techniques to distribute malware via compromised websites. A related report said the operation abused thousands of compromised sites as malicious delivery infrastructure.
ReversingLabs reported that ClickFix has evolved into an industrialized malware-as-a-service ecosystem with rentable kits, rapid infrastructure changes, and payloads including Lumma Stealer and several RATs. The researchers also said their open-source structural YARA rule identified 123 confirmed ClickFix lure pages that had evaded tested antivirus engines.
SlowMist published an analysis of a phishing campaign hosted on Google Sites that impersonated a community application flow and redirected victims to a fake verification page. The campaign pushed macOS users to run a script or Terminal command that downloaded an AMOS-like stealer used to exfiltrate browser, Keychain, Telegram, Notes, and crypto-wallet data.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
malware.news
Open sourcemalware.news
Open sourcehelpnetsecurity.com
Open sourcedarkreading.com
Open sourceslowmist.medium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.