ClickFix: Emerging Favorite for Cybercriminals in Malware Delivery

New research highlights how ClickFix, a social engineering tactic, is dominating the malware delivery landscape across various systems.

ThreatVectr Newsdesk· 2 min read
A computer screen displaying a fake error message with a prompt to paste a command, in an office environment
Share

Key points

  • ClickFix was involved in nearly 28% of defense-evasion activity from March to May 2026.
  • Researchers first observed ClickFix attacks on macOS systems during this period.
  • Attackers shifted from using compromised websites to emailed links for delivering ClickFix.

ClickFix, a social engineering tactic first observed in 2024, has become the preferred method for cybercriminals to deliver malware. This technique tricks individuals into copying and pasting harmful commands into system dialogs such as Windows Terminal, bypassing traditional security measures. Recent research by ReliaQuest, covering March 1 to May 31, 2026, shows that ClickFix dominated both initial access and defense-evasion strategies.

Cybercriminals use ClickFix by displaying fake error messages or verification prompts like CAPTCHA requests, which contain malicious commands. This method circumvents traditional file scanning and email security measures, making it a potent tool for attackers.

Over the past two years, various versions of ClickFix have emerged, including "CrashFix," which crashes browsers and offers fake fixes, and versions that use artificial intelligence to optimize search engine results for malicious links.

How did the hackers get in?

In a notable shift, criminals began using emailed links instead of compromised websites to deliver ClickFix. This change potentially benefits defenders because emails pass through security gateways that can intercept them. However, attackers are still finding success with traditional tactics like fake CAPTCHA prompts on Windows and bogus software installation guides targeting macOS users.

ReliaQuest's analysis also revealed a rise in ClickFix attacks on macOS, with hackers using the Atomic macOS Stealer (AMOS). Instead of baiting victims with fake pirated software, they used applescript:// links that open the macOS Script Editor, bypassing new security warnings in macOS 26.4.

ClickFix attackers have also targeted developers through malvertising, which involves malicious advertising. They used fake developer tool ads that trick users into pasting harmful commands by presenting them as error fixes. This tactic has exposed sensitive data like npm and Bitbucket tokens.

To counter these attacks, ReliaQuest recommends training users to avoid pasting commands into system dialogs and simulating ClickFix lures to make employees aware of the threat. While restricting access to tools like Terminal might reduce risk, it can hinder workflow for developers, so logging and alerting on unusual behavior is advised.

ReliaQuest observed that ClickFix is evolving from a one-time delivery method to a modular attack platform, capable of domain enumeration and maintaining access without deploying malware. Organizations need to bolster their defenses on both Windows and macOS to combat these evolving threats.

© 2026 Threat Vectr