ClickFix
-
Ghost CMS flaw exploited in large-scale ClickFix campaign
A campaign is using a critical Ghost CMS SQL injection flaw to inject malicious JavaScript and drive ClickFix attacks, with researchers saying more than 700 domains were affected.
-
Australia warns of ClickFix attacks spreading Vidar Stealer malware
Australia’s cyber security agency warned of a ClickFix campaign using compromised WordPress sites to push Vidar Stealer. The advisory recommends restricting PowerShell, using allow-listing and updating WordPress plugins and themes.
-
Atomic Stealer campaign abuses macOS Script Editor in ClickFix variation
A new macOS malware campaign is using Script Editor in a ClickFix-style attack to deliver Atomic Stealer, avoiding Terminal prompts and relying on fake Apple-themed pages that push users to run malicious code.
-
DeepLoad malware uses ClickFix lure and WMI to spread and steal credentials
A new DeepLoad malware campaign is using ClickFix lures, Windows tools and WMI to steal credentials, hide activity and reinfect cleaned hosts, according to a technical analysis from ReliaQuest.
-
Apple adds macOS Terminal warning to block ClickFix attacks
Apple has added a macOS Tahoe 26.4 warning in Terminal that pauses risky pasted commands and alerts users to possible ClickFix attacks. The feature is aimed at stopping social engineering lures that trick people into running harmful instructions.
-
LeakNet adopts ClickFix via compromised websites and runs Deno in memory
ReliaQuest’s technical report says LeakNet now uses ClickFix fake CAPTCHA pages on compromised sites to trick users and a Deno-based in-memory loader. Post-compromise steps include DLL side-loading, PsExec lateral movement and S3 exfiltration.
-
ClickFix campaigns used search ads and ChatGPT lures to deliver MacSync macOS stealer
Sophos found three ClickFix campaigns that tricked users into pasting Terminal commands to install MacSync, a macOS infostealer that steals credentials, keychain data and wallet seed phrases. Campaigns ran from November 2025 to February 2026.
-
ClickFix campaign uses compromised sites to deliver new MIMICRAT remote access trojan
A ClickFix campaign abused compromised legitimate sites to install MIMICRAT, a previously undocumented C++ remote access trojan. The multi-stage PowerShell chain drops a Lua loader and the RAT supports 22 commands.
-
Fake NexShield extension crashes Chrome and Edge to push ModeloRAT
A Huntress technical analysis found that a fake ad blocker called NexShield crashed Chrome and Edge to push malicious commands and install ModeloRAT in corporate environments. Full system cleanup is advised for affected machines.
-
MacSync Stealer shifts to signed Swift dropper, removing need for terminal commands
MacSync Stealer operators now distribute a code-signed, notarized Swift dropper inside a disk image, removing the need for terminal interaction. The change has enabled rapid infections of macOS systems since mid-2025.
