A rising social engineering method known as ClickFix has emerged as one of the vital profitable strategies for distributing malware in latest months.
This assault methods customers into copying and working instructions instantly into their working techniques command line interface, in the end putting in harmful information-stealing software program.
The method has confirmed remarkably efficient as a result of it bypasses conventional e-mail safety options and operates inside browser sandboxes the place most safety instruments can’t detect the malicious exercise.
The assault sometimes begins when customers seek for cracked software program via engines like google. Cybercriminals create pretend touchdown pages hosted on trusted platforms like Google Colab, Drive, Websites, and Teams to keep away from being blocked by safety techniques.
These pages act as preliminary contact factors that redirect victims primarily based on their working system. Home windows customers obtain the ACR stealer, whereas macOS customers are redirected to pages that deploy the Odyssey infostealer.
Intel471 safety researchers recognized this marketing campaign in June 2025 throughout proactive malware looking operations.
The investigation revealed that risk actors had been efficiently focusing on each main working techniques via a single infrastructure.
An infection chain (Supply – Intel471)
What makes this assault notably regarding is its fileless execution. When victims paste the instructions, malicious payloads are pulled instantly into reminiscence, making them invisible to conventional safety software program.
An infection Mechanism and Technical Execution
For Home windows customers, the assault chain guides victims via a number of redirection factors earlier than reaching a MEGA file internet hosting web page containing a password-protected ZIP archive.
Inside this archive sits the ACR stealer disguised as setup.exe. The malware not solely steals credentials and private information but additionally serves as a loader, putting in further threats akin to SharkClipper, a cryptocurrency clipboard hijacker.
Pretend Cloudflare safety test which prompts customers to run a ClickFix command (Supply – Intel471)
MacOS customers encounter a unique strategy that entails a pretend Cloudflare safety test web page. When customers try to repeat what seems to be a verification string, they really copy a Base64-encoded shell command.
As soon as decoded, this command executes:-
curl – s | nohup bash
This command silently downloads and runs the Odyssey stealer, which harvests passwords, cookies, cryptocurrency wallets, Apple Notes, Keychain entries, and system information, then compresses the whole lot into out.zip for exfiltration.
Comply with us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
