{ "name": "Think before you Click(Fix): Analyzing the ClickFix social engineering technique", "slug": "think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique", "description": "The ClickFix social engineering technique has gained popularity among threat actors, targeting thousands of devices globally. It tricks users into executing malicious commands on their devices by exploiting their tendency to solve minor technical issues. The technique often impersonates legitimate brands and combines with delivery vectors like phishing and malvertising. ClickFix campaigns typically lead users to a visual lure, such as a landing page, instructing them to run commands in the Windows Run dialog. This user interaction element helps bypass conventional security solutions. Various malware, including infostealers and remote access tools, are delivered through ClickFix attacks. The technique has evolved to target macOS users and is being sold as part of malware kits on hacker forums.", "published": "2025-08-21T19:03:25+00:00", "created_at": "2025-08-21T19:03:25+00:00", "modified_at": "2025-08-21T19:46:06+00:00", "created_at_opencti": "2025-08-21T19:03:25+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-08-21", "atomic macos stealer (amos)", "darkgate", "infostealer", "lampion", "latrodectus", "lumma stealer", "macos", "malvertising", "mintsloader", "obfuscation", "phishing", "remote access tool", "screenconnect", "social engineering", "windows run dialog" ], "related_entities": { "observables": [ { "id": "", "name": "185.234.72.186" }, { "id": "", "name": "83.242.96.159" }, { "id": "", "name": "http://guildmerger.co/verify/eminem" }, { "id": "", "name": "http://applemacios.com/vv/update" }, { "id": "", "name": "http://applemacios.com/vv/install.sh" }, { "id": "", "name": "f77c924244765351609777434e0e51603e7b84c5a13eef7d5ec730823fc5ebab" }, { "id": "", "name": "d9ffe7d433d715a2bf9a31168656e965b893535ab2e2d9cab81d99f0ce0d10c9" }, { "id": "", "name": "8fb329ae6b590c545c242f0bef98191965f7afed42352a0c84ca3ccc63f68629" }, { "id": "", "name": "592ef7705b9b91e37653f9d376b5492b08b2e033888ed54a0fd08ab043114718" }, { "id": "", "name": "061d378ffed42913d537da177de5321c67178e27e26fca9337e472384d2798c8" } ], "malware": [ { "id": "legacy:malware:b2c2542f8227d1ee", "name": "Lampion", "slug": "lampion" }, { "id": "legacy:malware:ecba00e78c561b7f", "name": "Atomic macOS Stealer (AMOS)", "slug": "atomic-macos-stealer-amos" }, { "id": "038e063c-cead-4de8-902e-d6fabcd78a08", "name": "MintsLoader", "slug": "mintsloader" }, { "id": "d908f85b-23ab-437b-8806-bdda8a362b72", "name": "Latrodectus", "slug": "latrodectus" }, { "id": "legacy:malware:1e181522bb980dc7", "name": "ScreenConnect", "slug": "screenconnect" }, { "id": "0051da15-675b-4665-a6d1-872f64cf47ea", "name": "Lumma Stealer", "slug": "lumma-stealer" }, { "id": "legacy:malware:05cd583aadd9b90a", "name": "DarkGate", "slug": "darkgate" } ], "others": [ { "id": "", "name": "Luxembourg" }, { "id": "", "name": "Hungary" }, { "id": "", "name": "Portugal" }, { "id": "", "name": "Switzerland" }, { "id": "", "name": "Spain" }, { "id": "", "name": "Canada" }, { "id": "", "name": "France" }, { "id": "", "name": "Germany" }, { "id": "", "name": "Mexico" }, { "id": "", "name": "Brazil" }, { "id": "", "name": "United States of America" }, { "id": "", "name": "Transportation" }, { "id": "", "name": "Education" }, { "id": "", "name": "Finance" }, { "id": "", "name": "Government" } ] }, "external_refs": [] }