{ "name": "ClickFix Campaigns Targeting Windows and macOS", "slug": "clickfix-campaigns-targeting-windows-and-macos", "description": "Insikt Group identified five distinct clusters using the ClickFix social engineering technique for initial access. These clusters impersonate various services like Intuit QuickBooks and Booking.com, demonstrating operational variance but similar core techniques. ClickFix manipulates victims into executing malicious commands within native system tools, bypassing traditional security controls. The methodology has become a standardized template for cybercriminals and APT groups. Campaigns target diverse sectors and use sophisticated obfuscation and living-off-the-land tactics. Defenders are advised to implement aggressive behavioral hardening and user awareness training to mitigate these threats.", "published": "2026-03-25T20:48:17+00:00", "created_at": "2026-03-25T20:48:17+00:00", "modified_at": "2026-03-26T23:09:30+00:00", "created_at_opencti": "2026-03-25T20:48:17+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-03-25", "clickfix", "initial access", "living-off-the-land", "lumma stealer", "lummastealer", "macos", "macsync", "netsupport rat", "obfuscation", "odyssey stealer", "redline stealer", "social engineering", "vidar", "windows" ], "related_entities": { "observables": [ { "id": "", "name": "193.35.17.12" }, { "id": "", "name": "91.202.233.206" }, { "id": "", "name": "45.144.233.192" }, { "id": "", "name": "62.164.177.230" }, { "id": "", "name": "45.93.20.50" }, { "id": "", "name": "193.58.122.97" }, { "id": "", "name": "77.91.65.144" }, { "id": "", "name": "152.89.244.70" }, { "id": "", "name": "94.156.112.115" }, { "id": "", "name": "77.91.65.31" }, { "id": "", "name": "193.222.99.212" }, { "id": "", "name": "45.93.20.141" }, { "id": "", "name": "http://alababababa.cloud/cVGvQio6.txt." }, { "id": "", "name": "c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50" }, { "id": "", "name": "43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87" }, { "id": "", "name": "397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8" }, { "id": "", "name": "b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c" }, { "id": "", "name": "5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db" } ], "attack_patterns": [ { "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc", "name": "T1204.001" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "5575e4ab-4900-402d-ae65-0469fc55a179", "name": "T1547.009" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "2e0c6db7-16a7-4bf6-992e-263474014fce", "name": "T1059.004" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2", "name": "T1566.002" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818", "name": "T1027.002" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" } ], "others": [ { "id": "", "name": "Accounting" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Technology" }, { "id": "", "name": "Real Estate" }, { "id": "", "name": "Travel" }, { "id": "", "name": "Government" }, { "id": "", "name": "anthonydee.com" }, { "id": "", "name": "admin-activitycheck.com" }, { "id": "", "name": "appsmacosx.com" }, { "id": "", "name": "cryptoinfo-news.com" }, { "id": "", "name": "checkhelpdesk.com" }, { "id": "", "name": "fomomforhealth.com" }, { "id": "", "name": "bancatangcode.com" }, { "id": "", "name": "gobirdrank.com" }, { "id": "", "name": "appxmacos.com" }, { "id": "", "name": "billiardinstitute.com" }, { "id": "", "name": "traderslinkfx.com" }, { "id": "", "name": "guypinions.com" }, { "id": "", "name": "birdrankusa.com" }, { "id": "", "name": "checkaccountactivity.com" }, { "id": "", "name": "helpbirdrep.com" }, { "id": "", "name": "financementure.com" }, { "id": "", "name": "getbirdrank.com" }, { "id": "", "name": "bkng-updt.com" }, { "id": "", "name": "account-help.info" }, { "id": "", "name": "bitbirdrank.com" }, { "id": "", "name": "birdrankus.com" }, { "id": "", "name": "birdrankinc.com" }, { "id": "", "name": "orkneygateway.com" }, { "id": "", "name": "quiptly.com" }, { "id": "", "name": "accountpulse.help" }, { "id": "", "name": "birdrankfx.com" }, { "id": "", "name": "elive123go.com" }, { "id": "", "name": "birdrankvip.com" }, { "id": "", "name": "account-helpdesk.icu" }, { "id": "", "name": "acconthelpdesk.com" }, { "id": "", "name": "account-helpdesk.info" }, { "id": "", "name": "birdrepusa.com" }, { "id": "", "name": "probirdrep.com" }, { "id": "", "name": "ned.coveney-ltd.com" }, { "id": "", "name": "joeyapple.com" }, { "id": "", "name": "macosx-apps.com" }, { "id": "", "name": "macosxapp.com" }, { "id": "", "name": "justbirdrank.com" }, { "id": "", "name": "macosxappstore.com" }, { "id": "", "name": "nowbirdrank.com" }, { "id": "", "name": "apple.assistance-tools.com" }, { "id": "", "name": "birdrepuse.com" }, { "id": "", "name": "birdrankbox.com" }, { "id": "", "name": "mac-os-helper.com" }, { "id": "", "name": "surecomforts.com" }, { "id": "", "name": "macapps-apple.com" }, { "id": "", "name": "macosx-app.com" }, { "id": "", "name": "subsgod.com" }, { "id": "", "name": "mybirdrank.com" }, { "id": "", "name": "birdreplab.com" }, { "id": "", "name": "elive777a.com" }, { "id": "", "name": "birdrankup.com" }, { "id": "", "name": "valetfortesla.com" }, { "id": "", "name": "appmacosx.com" }, { "id": "", "name": "vipbirdrank.com" }, { "id": "", "name": "hostmaster.extracareliving.com" }, { "id": "", "name": "sign-in-op-token.com" }, { "id": "", "name": "fixbirdrank.com" }, { "id": "", "name": "gologpoint.com" }, { "id": "", "name": "helpbirdrank.com" }, { "id": "", "name": "topbirdrank.com" }, { "id": "", "name": "checkpulse.com" }, { "id": "", "name": "apple.diagnostic.wiki" }, { "id": "", "name": "nhacaired88.com" }, { "id": "", "name": "thepulseactivity.com" }, { "id": "", "name": "deinhealthcoach.com" }, { "id": "", "name": "birdrankzen.com" }, { "id": "", "name": "birdrepbiz.com" }, { "id": "", "name": "bitbirdrep.com" }, { "id": "", "name": "usbirdrank.com" }, { "id": "", "name": "macxapp.com" }, { "id": "", "name": "alababababa.cloud" }, { "id": "", "name": "appmacintosh.com" }, { "id": "", "name": "birdrepgo.com" }, { "id": "", "name": "ustazazharidrus.com" }, { "id": "", "name": "visitbundala.com" }, { "id": "", "name": "checkpulses.com" }, { "id": "", "name": "birdrepsys.com" }, { "id": "", "name": "macintosh-hub.com" }, { "id": "", "name": "macapp-apple.com" }, { "id": "", "name": "birdrankllc.com" }, { "id": "", "name": "bebirdrank.com" }, { "id": "", "name": "macxapp.org" }, { "id": "", "name": "octopox.com" }, { "id": "", "name": "thestayreserve.com" }, { "id": "", "name": "account-helpdesk.top" }, { "id": "", "name": "pulse-help-desk.com" }, { "id": "", "name": "nobovcs.com" }, { "id": "", "name": "4freepics.com" }, { "id": "", "name": "grandmastertraders.traderslinkfx.com" }, { "id": "", "name": "helpdeskpulse.com" }, { "id": "", "name": "topbirdrep.com" }, { "id": "", "name": "accountmime.com" }, { "id": "", "name": "acebirdrep.com" }, { "id": "", "name": "yvngvualr.com" }, { "id": "", "name": "optbirdrank.com" }, { "id": "", "name": "macos-storageperf.com" }, { "id": "", "name": "ms-scedg.com" }, { "id": "", "name": "chrm-srv.com" }, { "id": "", "name": "macosapp-apple.com" }, { "id": "", "name": "infobirdrep.com" }, { "id": "", "name": "theinvestworthy.com" }, { "id": "", "name": "ariciversontile.com" }, { "id": "", "name": "cryptonews-info.com" }, { "id": "", "name": "usebirdrep.com" }, { "id": "", "name": "shopifyservercloud.com" }, { "id": "", "name": "birdranktip.com" }, { "id": "", "name": "birdrankgo.com" }, { "id": "", "name": "hotelupdatesys.com" }, { "id": "", "name": "mrinmay.net" }, { "id": "", "name": "extracareliving.com" }, { "id": "", "name": "birdrephelp.com" }, { "id": "", "name": "cryptoinfo-allnews.com" }, { "id": "", "name": "apposx.com" }, { "id": "", "name": "birdrankmax.com" }, { "id": "", "name": "customblindinstall.com" }, { "id": "", "name": "cryptoinfnews.com" } ] }, "external_refs": [ "https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos", "https://otx.alienvault.com/pulse/69c458219c8e6f0a874e9161" ] }