ClickFix Campaigns Targeting Windows and macOS
Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into executing malicious commands within native system tools, bypassing traditional security controls. The methodology has become a standardized template for cybercriminals and APT groups. Campaigns target diverse sectors and use sophisticated obfuscation and living-off-the-land tactics. Defenders are advised to implement aggressive behavioral hardening and user awareness training to mitigate these threats.
AI Analysis
Technical Summary
The ClickFix campaigns represent a sophisticated social engineering threat targeting both Windows and macOS environments. Identified by Insikt Group and reported by AlienVault, these campaigns consist of five distinct clusters that impersonate trusted services such as Intuit QuickBooks and Booking.com to lure victims into executing malicious commands. The core technique involves manipulating users to run commands within native system tools (living-off-the-land tactics), which allows attackers to bypass traditional endpoint security solutions that rely on detecting malicious binaries or suspicious processes. The campaigns employ advanced obfuscation methods to evade detection and use a variety of malware families, including Vidar, Lumma Stealer, Odyssey Stealer, Redline Stealer, and NetSupport RAT, to establish persistence, steal credentials, and maintain remote access. The use of native tools and social engineering reduces the need for exploits or zero-days, relying instead on user interaction and deception. The campaigns have been observed across diverse sectors, indicating broad targeting and operational flexibility. The methodology has become a standardized template for both cybercriminals and advanced persistent threat (APT) groups, highlighting its effectiveness and adaptability. Defenders are advised to implement aggressive behavioral monitoring, restrict execution of potentially dangerous native tools where possible, and enhance user training to recognize and resist social engineering attempts. Although no known exploits in the wild have been reported, the threat remains significant due to its stealth and potential impact.
Potential Impact
The ClickFix campaigns pose a medium to high risk to organizations globally due to their ability to bypass traditional security controls by leveraging native system tools and social engineering. Successful attacks can lead to credential theft, unauthorized remote access, data exfiltration, and potential lateral movement within networks. The use of multiple stealer malware and RATs increases the risk of persistent compromise and espionage. Organizations in sectors with high-value data or financial transactions are particularly at risk. The campaigns' reliance on user interaction means that phishing-resistant environments and strong user awareness can reduce impact, but the sophisticated obfuscation and living-off-the-land tactics complicate detection and response. The threat affects both Windows and macOS platforms, broadening the attack surface. If left unmitigated, these campaigns can result in significant operational disruption, financial loss, and reputational damage.
Mitigation Recommendations
1. Implement strict application control policies to limit execution of native system tools (e.g., PowerShell, cmd, AppleScript) to only trusted administrators or processes. 2. Deploy behavioral analytics and endpoint detection and response (EDR) solutions capable of identifying anomalous command execution patterns indicative of living-off-the-land attacks. 3. Conduct targeted user awareness training focused on recognizing social engineering tactics, especially impersonation of trusted services like QuickBooks and Booking.com. 4. Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 5. Regularly audit and restrict permissions to minimize the ability of users to execute unauthorized commands. 6. Monitor network traffic for unusual outbound connections related to known malware families such as Vidar, Redline, and NetSupport RAT. 7. Maintain up-to-date threat intelligence feeds and integrate them into security operations to detect emerging indicators related to ClickFix campaigns. 8. Employ email filtering and anti-phishing technologies to reduce the likelihood of initial social engineering success. 9. Establish incident response playbooks specifically addressing living-off-the-land and social engineering attack scenarios. 10. For macOS environments, apply similar restrictions and monitoring on AppleScript and other native automation tools.
Affected Countries
United States, United Kingdom, Canada, Australia, Germany, France, Netherlands, Japan, South Korea, Singapore
Indicators of Compromise
- ip: 94.156.112.115
- hash: 4b261a6adf6e0c952b5fb837091ff023
- hash: 58712aacf6b0f8149c066bda3a034fc3
- hash: 95c6515d88e9ea48a9b949a81c1dac4e
- hash: 29c46d28aeb174415c2957b5ba62a4512334f886
- hash: c93eeb4241f69fea44c4d8ccdde03f3b40a6be3f
- hash: cf2da87d52a6b08a3b9502b1f6082b8b76ba4d32
- hash: 397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8
- hash: 43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
- hash: 5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db
- hash: b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c
- hash: c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50
- ip: 152.89.244.70
- ip: 193.222.99.212
- ip: 193.35.17.12
- ip: 193.58.122.97
- ip: 45.144.233.192
- ip: 45.93.20.141
- ip: 45.93.20.50
- ip: 62.164.177.230
- ip: 77.91.65.144
- ip: 77.91.65.31
- ip: 91.202.233.206
- url: http://alababababa.cloud/cVGvQio6.txt.
- domain: 4freepics.com
- domain: acconthelpdesk.com
- domain: account-help.info
- domain: account-helpdesk.icu
- domain: account-helpdesk.info
- domain: account-helpdesk.top
- domain: accountmime.com
- domain: accountpulse.help
- domain: acebirdrep.com
- domain: admin-activitycheck.com
- domain: alababababa.cloud
- domain: anthonydee.com
- domain: appmacintosh.com
- domain: appmacosx.com
- domain: apposx.com
- domain: appsmacosx.com
- domain: appxmacos.com
- domain: ariciversontile.com
- domain: bancatangcode.com
- domain: bebirdrank.com
- domain: billiardinstitute.com
- domain: birdrankbox.com
- domain: birdrankfx.com
- domain: birdrankgo.com
- domain: birdrankinc.com
- domain: birdrankllc.com
- domain: birdrankmax.com
- domain: birdranktip.com
- domain: birdrankup.com
- domain: birdrankus.com
- domain: birdrankusa.com
- domain: birdrankvip.com
- domain: birdrankzen.com
- domain: birdrepbiz.com
- domain: birdrepgo.com
- domain: birdrephelp.com
- domain: birdreplab.com
- domain: birdrepsys.com
- domain: birdrepusa.com
- domain: birdrepuse.com
- domain: bitbirdrank.com
- domain: bitbirdrep.com
- domain: bkng-updt.com
- domain: checkaccountactivity.com
- domain: checkhelpdesk.com
- domain: checkpulse.com
- domain: checkpulses.com
- domain: chrm-srv.com
- domain: cryptoinfnews.com
- domain: cryptoinfo-allnews.com
- domain: cryptoinfo-news.com
- domain: cryptonews-info.com
- domain: customblindinstall.com
- domain: deinhealthcoach.com
- domain: elive123go.com
- domain: elive777a.com
- domain: extracareliving.com
- domain: financementure.com
- domain: fixbirdrank.com
- domain: fomomforhealth.com
- domain: getbirdrank.com
- domain: gobirdrank.com
- domain: gologpoint.com
- domain: guypinions.com
- domain: helpbirdrank.com
- domain: helpbirdrep.com
- domain: helpdeskpulse.com
- domain: hotelupdatesys.com
- domain: infobirdrep.com
- domain: joeyapple.com
- domain: justbirdrank.com
- domain: mac-os-helper.com
- domain: macapp-apple.com
- domain: macapps-apple.com
- domain: macintosh-hub.com
- domain: macos-storageperf.com
- domain: macosapp-apple.com
- domain: macosx-app.com
- domain: macosx-apps.com
- domain: macosxapp.com
- domain: macosxappstore.com
- domain: macxapp.com
- domain: macxapp.org
- domain: mrinmay.net
- domain: ms-scedg.com
- domain: mybirdrank.com
- domain: nhacaired88.com
- domain: nobovcs.com
- domain: nowbirdrank.com
- domain: octopox.com
- domain: optbirdrank.com
- domain: orkneygateway.com
- domain: probirdrep.com
- domain: pulse-help-desk.com
- domain: quiptly.com
- domain: shopifyservercloud.com
- domain: sign-in-op-token.com
- domain: subsgod.com
- domain: surecomforts.com
- domain: theinvestworthy.com
- domain: thepulseactivity.com
- domain: thestayreserve.com
- domain: topbirdrank.com
- domain: topbirdrep.com
- domain: traderslinkfx.com
- domain: usbirdrank.com
- domain: usebirdrep.com
- domain: ustazazharidrus.com
- domain: valetfortesla.com
- domain: vipbirdrank.com
- domain: visitbundala.com
- domain: yvngvualr.com
- domain: apple.assistance-tools.com
- domain: apple.diagnostic.wiki
- domain: grandmastertraders.traderslinkfx.com
- domain: hostmaster.extracareliving.com
- domain: ned.coveney-ltd.com
ClickFix Campaigns Targeting Windows and macOS
Description
Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into executing malicious commands within native system tools, bypassing traditional security controls. The methodology has become a standardized template for cybercriminals and APT groups. Campaigns target diverse sectors and use sophisticated obfuscation and living-off-the-land tactics. Defenders are advised to implement aggressive behavioral hardening and user awareness training to mitigate these threats.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ClickFix campaigns represent a sophisticated social engineering threat targeting both Windows and macOS environments. Identified by Insikt Group and reported by AlienVault, these campaigns consist of five distinct clusters that impersonate trusted services such as Intuit QuickBooks and Booking.com to lure victims into executing malicious commands. The core technique involves manipulating users to run commands within native system tools (living-off-the-land tactics), which allows attackers to bypass traditional endpoint security solutions that rely on detecting malicious binaries or suspicious processes. The campaigns employ advanced obfuscation methods to evade detection and use a variety of malware families, including Vidar, Lumma Stealer, Odyssey Stealer, Redline Stealer, and NetSupport RAT, to establish persistence, steal credentials, and maintain remote access. The use of native tools and social engineering reduces the need for exploits or zero-days, relying instead on user interaction and deception. The campaigns have been observed across diverse sectors, indicating broad targeting and operational flexibility. The methodology has become a standardized template for both cybercriminals and advanced persistent threat (APT) groups, highlighting its effectiveness and adaptability. Defenders are advised to implement aggressive behavioral monitoring, restrict execution of potentially dangerous native tools where possible, and enhance user training to recognize and resist social engineering attempts. Although no known exploits in the wild have been reported, the threat remains significant due to its stealth and potential impact.
Potential Impact
The ClickFix campaigns pose a medium to high risk to organizations globally due to their ability to bypass traditional security controls by leveraging native system tools and social engineering. Successful attacks can lead to credential theft, unauthorized remote access, data exfiltration, and potential lateral movement within networks. The use of multiple stealer malware and RATs increases the risk of persistent compromise and espionage. Organizations in sectors with high-value data or financial transactions are particularly at risk. The campaigns' reliance on user interaction means that phishing-resistant environments and strong user awareness can reduce impact, but the sophisticated obfuscation and living-off-the-land tactics complicate detection and response. The threat affects both Windows and macOS platforms, broadening the attack surface. If left unmitigated, these campaigns can result in significant operational disruption, financial loss, and reputational damage.
Mitigation Recommendations
1. Implement strict application control policies to limit execution of native system tools (e.g., PowerShell, cmd, AppleScript) to only trusted administrators or processes. 2. Deploy behavioral analytics and endpoint detection and response (EDR) solutions capable of identifying anomalous command execution patterns indicative of living-off-the-land attacks. 3. Conduct targeted user awareness training focused on recognizing social engineering tactics, especially impersonation of trusted services like QuickBooks and Booking.com. 4. Enforce multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 5. Regularly audit and restrict permissions to minimize the ability of users to execute unauthorized commands. 6. Monitor network traffic for unusual outbound connections related to known malware families such as Vidar, Redline, and NetSupport RAT. 7. Maintain up-to-date threat intelligence feeds and integrate them into security operations to detect emerging indicators related to ClickFix campaigns. 8. Employ email filtering and anti-phishing technologies to reduce the likelihood of initial social engineering success. 9. Establish incident response playbooks specifically addressing living-off-the-land and social engineering attack scenarios. 10. For macOS environments, apply similar restrictions and monitoring on AppleScript and other native automation tools.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos"]
- Adversary
- null
- Pulse Id
- 69c458219c8e6f0a874e9161
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip94.156.112.115 | — | |
ip152.89.244.70 | — | |
ip193.222.99.212 | — | |
ip193.35.17.12 | — | |
ip193.58.122.97 | — | |
ip45.144.233.192 | — | |
ip45.93.20.141 | — | |
ip45.93.20.50 | — | |
ip62.164.177.230 | — | |
ip77.91.65.144 | — | |
ip77.91.65.31 | — | |
ip91.202.233.206 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash4b261a6adf6e0c952b5fb837091ff023 | — | |
hash58712aacf6b0f8149c066bda3a034fc3 | — | |
hash95c6515d88e9ea48a9b949a81c1dac4e | — | |
hash29c46d28aeb174415c2957b5ba62a4512334f886 | — | |
hashc93eeb4241f69fea44c4d8ccdde03f3b40a6be3f | — | |
hashcf2da87d52a6b08a3b9502b1f6082b8b76ba4d32 | — | |
hash397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8 | — | |
hash43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87 | — | |
hash5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db | — | |
hashb17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c | — | |
hashc0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://alababababa.cloud/cVGvQio6.txt. | — |
Domain
| Value | Description | Copy |
|---|---|---|
domain4freepics.com | — | |
domainacconthelpdesk.com | — | |
domainaccount-help.info | — | |
domainaccount-helpdesk.icu | — | |
domainaccount-helpdesk.info | — | |
domainaccount-helpdesk.top | — | |
domainaccountmime.com | — | |
domainaccountpulse.help | — | |
domainacebirdrep.com | — | |
domainadmin-activitycheck.com | — | |
domainalababababa.cloud | — | |
domainanthonydee.com | — | |
domainappmacintosh.com | — | |
domainappmacosx.com | — | |
domainapposx.com | — | |
domainappsmacosx.com | — | |
domainappxmacos.com | — | |
domainariciversontile.com | — | |
domainbancatangcode.com | — | |
domainbebirdrank.com | — | |
domainbilliardinstitute.com | — | |
domainbirdrankbox.com | — | |
domainbirdrankfx.com | — | |
domainbirdrankgo.com | — | |
domainbirdrankinc.com | — | |
domainbirdrankllc.com | — | |
domainbirdrankmax.com | — | |
domainbirdranktip.com | — | |
domainbirdrankup.com | — | |
domainbirdrankus.com | — | |
domainbirdrankusa.com | — | |
domainbirdrankvip.com | — | |
domainbirdrankzen.com | — | |
domainbirdrepbiz.com | — | |
domainbirdrepgo.com | — | |
domainbirdrephelp.com | — | |
domainbirdreplab.com | — | |
domainbirdrepsys.com | — | |
domainbirdrepusa.com | — | |
domainbirdrepuse.com | — | |
domainbitbirdrank.com | — | |
domainbitbirdrep.com | — | |
domainbkng-updt.com | — | |
domaincheckaccountactivity.com | — | |
domaincheckhelpdesk.com | — | |
domaincheckpulse.com | — | |
domaincheckpulses.com | — | |
domainchrm-srv.com | — | |
domaincryptoinfnews.com | — | |
domaincryptoinfo-allnews.com | — | |
domaincryptoinfo-news.com | — | |
domaincryptonews-info.com | — | |
domaincustomblindinstall.com | — | |
domaindeinhealthcoach.com | — | |
domainelive123go.com | — | |
domainelive777a.com | — | |
domainextracareliving.com | — | |
domainfinancementure.com | — | |
domainfixbirdrank.com | — | |
domainfomomforhealth.com | — | |
domaingetbirdrank.com | — | |
domaingobirdrank.com | — | |
domaingologpoint.com | — | |
domainguypinions.com | — | |
domainhelpbirdrank.com | — | |
domainhelpbirdrep.com | — | |
domainhelpdeskpulse.com | — | |
domainhotelupdatesys.com | — | |
domaininfobirdrep.com | — | |
domainjoeyapple.com | — | |
domainjustbirdrank.com | — | |
domainmac-os-helper.com | — | |
domainmacapp-apple.com | — | |
domainmacapps-apple.com | — | |
domainmacintosh-hub.com | — | |
domainmacos-storageperf.com | — | |
domainmacosapp-apple.com | — | |
domainmacosx-app.com | — | |
domainmacosx-apps.com | — | |
domainmacosxapp.com | — | |
domainmacosxappstore.com | — | |
domainmacxapp.com | — | |
domainmacxapp.org | — | |
domainmrinmay.net | — | |
domainms-scedg.com | — | |
domainmybirdrank.com | — | |
domainnhacaired88.com | — | |
domainnobovcs.com | — | |
domainnowbirdrank.com | — | |
domainoctopox.com | — | |
domainoptbirdrank.com | — | |
domainorkneygateway.com | — | |
domainprobirdrep.com | — | |
domainpulse-help-desk.com | — | |
domainquiptly.com | — | |
domainshopifyservercloud.com | — | |
domainsign-in-op-token.com | — | |
domainsubsgod.com | — | |
domainsurecomforts.com | — | |
domaintheinvestworthy.com | — | |
domainthepulseactivity.com | — | |
domainthestayreserve.com | — | |
domaintopbirdrank.com | — | |
domaintopbirdrep.com | — | |
domaintraderslinkfx.com | — | |
domainusbirdrank.com | — | |
domainusebirdrep.com | — | |
domainustazazharidrus.com | — | |
domainvaletfortesla.com | — | |
domainvipbirdrank.com | — | |
domainvisitbundala.com | — | |
domainyvngvualr.com | — | |
domainapple.assistance-tools.com | — | |
domainapple.diagnostic.wiki | — | |
domaingrandmastertraders.traderslinkfx.com | — | |
domainhostmaster.extracareliving.com | — | |
domainned.coveney-ltd.com | — |
Threat ID: 69c45b4af4197a8e3b8530f1
Added to database: 3/25/2026, 10:01:46 PM
Last enriched: 3/25/2026, 10:16:22 PM
Last updated: 3/26/2026, 6:43:44 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.