ClickFix Becomes Leading Malware Delivery Method as Attackers Expand to macOS
What happened
ClickFix, a social engineering technique that first emerged in 2024, has rapidly become one of the most widely used methods for delivering malware. According to new research from ReliaQuest, the technique dominated both initial access and defense-evasion activity between March and May, highlighting how quickly attackers have adopted it.
ClickFix works by convincing users to copy and paste malicious commands into trusted system tools such as Windows Terminal, the Run dialog, or Script Editor on macOS. Rather than relying on malicious attachments or downloads, attackers present fake error messages, CAPTCHA prompts, or software installation instructions that encourage users to execute the commands themselves.
Raigridas Bartkus, cybersecurity specialist at ReliaQuest, said ClickFix should no longer be treated as an isolated threat. Instead, organizations should continuously train users and monitor for this attack technique across both Windows and macOS environments.
Researchers also identified new variants, including CrashFix, which repeatedly crashes a browser before offering a fake “fix,” and campaigns using AI-assisted obfuscation to make malicious scripts harder for security tools to detect.
Who is affected
The research indicates that organizations using both Windows and macOS are at risk, particularly those with software developers and technical staff.
ReliaQuest observed attackers increasingly targeting developers through malicious Google Ads impersonating popular developer tools such as “claude code install” and “homebrew install.” Victims are directed to fake installation pages where they are instructed to copy and paste malicious commands.
In several confirmed incidents, attackers obtained sensitive development credentials, including npm and Bitbucket tokens, after compromising developer systems. Researchers also found that some ClickFix campaigns no longer deploy traditional malware, instead using a single pasted command to perform network discovery and establish persistent access.
Why CISOs should care
ClickFix represents a shift away from conventional malware delivery methods that rely on email attachments or downloadable files. By persuading users to execute commands themselves, attackers can bypass many traditional security controls designed to detect malicious files.
The expansion of ClickFix to macOS also removes the assumption that the threat is primarily a Windows problem. Organizations with mixed operating system environments now need consistent monitoring, detection, and user awareness across all endpoints.
The growing use of AI-generated obfuscation further increases the challenge for defenders by allowing attackers to rapidly produce new script variants that evade signature-based detection.
3 practical actions
Train employees on both Windows and macOS to never copy and paste commands from websites, emails, CAPTCHA pages, or unexpected prompts.
Extend endpoint monitoring to detect suspicious command execution, scripting activity, and abnormal use of Terminal, PowerShell, or Script Editor.
Apply stricter controls for privileged users where possible, while using logging and behavioral alerts instead of outright blocking developer tools for technical teams.


