The ClickFix campaign represents a sophisticated use of social engineering to deploy malware across both Windows and macOS platforms. By leveraging fake Google Meet error messages, attackers entice users to download files or execute PowerShell commands under the guise of troubleshooting a “connection issue.”
AI illustration for the ClickFix Campaign, generated with DALL-E
This cross-platform malware campaign has become a significant threat, as it targets a wide range of systems and employs tactics that effectively bypass many traditional security measures.
ClickFix Campaign Overview and Tactics
The ClickFix campaign exploits users’ trust in Google Meet by presenting error messages that prompt them to take immediate action. Upon clicking, victims are directed to download files containing information-stealing malware, such as Lumma Stealer and DarkGate.
The attackers utilize PowerShell commands to evade detection, manipulating users into unknowingly installing malicious software that accesses sensitive information, including login credentials, browser data, and cryptocurrency wallets.
This campaign underscores the risks of browser-based attacks that prey on user trust and familiarity with legitimate platforms.
The campaign page for ClickFix on SOCRadar XTI platform
Visit the Campaigns section under SOCRadar LABS to explore insights into the ClickFix campaign and its associated threats, and learn how SOCRadar’s XTI platform can enhance your proactive security strategies.
Mitigation Measures
Combating campaigns such as ClickFix requires a layered security approach, focusing on restricting malicious scripts, monitoring endpoints, and ensuring user awareness. Below are the known techniques used in the campaign and recommended mitigation strategies:
| ID | Technique | Recommended Mitigation |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Enforce PowerShell execution policies to allow only signed scripts. Use antivirus solutions to quarantine suspicious files automatically. |
| T1036 | Masquerading | Require signed binaries and employ application controls to restrict program execution based on attributes beyond file names. |
| T1566.002 | Spear Phishing Link | Restrict access to web-based content and filter unknown websites that could serve as phishing entry points. |
| T1021 | Restrict Web-Based Content | Enable content filtering and browser extensions to prevent access to known malicious domains and reduce the risk of spear-phishing. |
| T1204 | User Execution | Train users to recognize and avoid phishing techniques. This includes awareness around unusual prompts and fake error messages. |
Remediation Steps
To mitigate the impact of ClickFix infections, organizations should monitor critical system components and apply security measures to block the spread of malware. Key remediation steps are outlined below.
| ID | Data Source | Data Component | Detection and Remediation Method |
| DS0017 | Command | Command Execution | Monitor command-line activity to detect unusual PowerShell scripts or unauthorized script executions. |
| DS0029 | Network Traffic | Network Connection Creation | Analyze network connections for links to suspicious domains, monitoring encrypted traffic and IPs linked to C2 communications. |
| DS0009 | Process | Process Creation | Watch for abnormal processes originating from browsers or productivity applications, indicating possible malware infections. |
| DS0022 | File | File Creation | Track suspicious file creations in temporary folders, which may contain files linked to ClickFix or other malware components. |
| DS0015 | Application Log | Application Log Content | Review logs for spear-phishing messages containing malicious links, monitoring browser behaviors for signs of phishing links. |
Indicators of Compromise (IoCs)
The following IoCs are associated with the ClickFix campaign. Adding these to threat intelligence systems will improve detection capabilities:
| Category | Indicator | Description |
| Hashes | 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe | Known malicious payload hash linked to ClickFix. |
| 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138 | Malware payload hash used for Windows infections. | |
| 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5 | Associated with macOS variants in ClickFix attacks. | |
| URLs | https://otx.alienvault.com/pulse/671198a25d86c13e87b56ad9 | Malicious URL distributing ClickFix malware payload. |
| IP Addresses | severdops.ddns.net:8120 | Command and control server used in the campaign. |
Conclusion
The ClickFix campaign showcases the evolving tactics of cybercriminals in using trusted platforms to propagate malware. By exploiting fake error messages, ClickFix successfully compromises users on both Windows and macOS. Addressing these threats demands a combination of user awareness and robust endpoint protection.
To help organizations defend against such sophisticated attacks, SOCRadar’s Extended Threat Intelligence (XTI) platform offers real-time monitoring and actionable insights. For a complete view of similar campaigns, visit the Campaigns section under SOCRadar LABS and stay ahead of emerging threats with comprehensive threat intelligence.
