ClickFix Campaigns Targeting Windows and macOS: A Deep Technical Analysis

Technical Analysis

1. Root Cause & Threat Actor TTPs

ClickFix is not a traditional software vulnerability; it exploits the trust model of Windows’ command‑execution interfaces. The attackers rely on:

Human Trust – Users are presented with a fake security warning or CAPTCHA that appears legitimate.
Native Tool Abuse – The Run dialog (Win+R) or Windows Terminal (Win+X → I) are leveraged because they are built‑in, trusted, and often exempt from application control policies.
Obfuscated Commands – Hex‑encoded, XOR‑compressed scripts that evade static analysis and bypass simple string‑based detection.

The attack chain is a multi‑stage, file‑less process that uses legitimate binaries (PowerShell, cmd.exe, MSBuild.exe, 7‑Zip) as LOLBins to load and execute the payload in memory.

2. Step‑by‑Step Exploitation Chain

Stage	Action	Technical Detail	Tools Involved
1. Delivery	Victim receives phishing, malvertising, or drive‑by link.	Lure page displays a fake security warning or CAPTCHA.	Browser
2. User Interaction	Victim opens Run dialog (Win+R) or Windows Terminal (Win+X → I).	Prompt instructs user to copy a hex‑encoded command.	Win+R / wt.exe
3. Command Execution	User pastes command into Run/Terminal.	The command spawns additional Terminal/PowerShell instances.	PowerShell, cmd.exe
4. Decoding	PowerShell decodes XOR‑compressed script.	Script is executed in memory.	PowerShell
5. Payload Download	Decoded script downloads a ZIP payload and a renamed 7‑Zip binary.	Randomized filenames are written to disk.	7‑Zip (7z.exe)
6. Extraction	7‑Zip extracts ZIP contents, triggering a multi‑stage chain.	Extraction occurs in memory; no persistent files.	7‑Zip
7. Batch & VBS Deployment	Batch script written to `%AppData%\Local`, VBS to `%TEMP%`.	Batch executed with `/launched` argument.	cmd.exe
8. LOLBin Abuse	Batch is executed via MSBuild.exe, which runs arbitrary code.	MSBuild.exe is a legitimate build tool; its execution is rarely restricted.	MSBuild.exe
9. Credential Harvesting	Script connects to cryptocurrency RPC endpoints (etherhiding).	QueueUserAPC() injects code into `chrome.exe`/`msedge.exe`.	Win32 API
10. Exfiltration	Harvested credentials (Web Data, Login Data) are sent to attacker‑controlled infrastructure.	Data is encrypted and transmitted over HTTP/HTTPS to RPC endpoints.	Network

Example of a Hex‑Encoded, XOR‑Compressed Command (Illustrative)

# The real command is not disclosed in public sources.
# An illustrative placeholder demonstrates the structure.

$hex = "48656c6c6f2c20776f726c6421"   # "Hello, world!" in hex
$xorKey = 0xAA
$decoded = foreach ($b in ($hex -split ' '..'') { [char]($b -bxor $xorKey) }
$decoded

Note: The actual payload uses a longer, XOR‑compressed script that launches PowerShell, downloads the ZIP, and orchestrates the LOLBin chain.

3. Affected Versions & Configurations

Product	Affected Versions	Notes
Microsoft Windows	All supported versions (Windows 7 + Server 2008 + later)	No specific CVE; technique relies on built‑in tools.
Windows Terminal (wt.exe)	All released builds	Newest variants use this as the primary interaction vector.
7‑Zip (7z.exe)	All versions	Renamed binary is used to extract the ZIP payload.
Microsoft PowerShell	All versions	Decodes and executes the obfuscated script.
Windows Command Shell (cmd.exe)	All versions	Executes batch scripts with `/launched`.
MSBuild.exe	All versions	Used to run arbitrary code via LOLBin abuse.
macOS	Targeted in some campaigns	Similar social‑engineering lures, but execution chain differs.

No patch is required because the technique exploits legitimate binaries; mitigation relies on policy hardening and detection.

4. Attack Surface & Deployment Scenarios

Enterprise Environments: Users with administrative privileges or those who can run PowerShell/Terminal are prime targets.
Remote Desktop / RDP: Attackers can deliver lures via RDP session prompts.
Shared Workstations: Users may inadvertently execute the command if the Run dialog is enabled.
MacOS: While the primary chain uses Windows tools, macOS variants may use Terminal or AppleScript to achieve similar outcomes.

Impact Assessment

Scope & Scale

Global Reach: Campaigns observed in February and March 2026, targeting thousands of enterprise and end‑user devices daily.
High‑Value Targets: QuickBooks, Booking.com, Birdeye, and other brands were impersonated to lower user suspicion.
Credential Theft: The Lumma Stealer harvests browser artifacts (Web Data, Login Data), cryptocurrency wallet information, and session cookies.
Exfiltration: Data is sent to attacker‑controlled cryptocurrency RPC endpoints, obfuscating traffic.

Real‑World Consequences

Data Breaches: Compromise of login credentials can lead to lateral movement, ransomware deployment, or phishing amplification.
Reputational Damage: Brands impersonated in lures suffer trust erosion.
Financial Loss: Exfiltration of cryptocurrency wallets and credential theft can result in direct monetary theft.

Detection & Response

Log Signatures

Log Source	Indicator	Example
Windows Event Log – Process Creation	Creation of `wt.exe` with suspicious command line	`EventID=4688, NewProcessName=wt.exe, CommandLine="wt -d ..."`
PowerShell Module Logging	Decoding of XOR‑compressed script	`EventID=4104, ScriptBlockText=...`
MSBuild Execution	MSBuild.exe invoked with non‑standard arguments	`EventID=4688, NewProcessName=MSBuild.exe, CommandLine="/t:Build /p:Configuration=Release"`
Network	Outbound HTTPS to known cryptocurrency RPC endpoints	`DestinationIP=203.0.113.42, DestinationPort=443, URL=/api/submit`

YARA Rule Example

rule ClickFix_PowerShell_Decode
{
    meta:
        description = "Detects XOR‑compressed PowerShell decoding in ClickFix campaigns"
        author = "Karma‑X Threat Intelligence"
        reference = "https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos"
    strings:
        $xorKey = { AA }
        $hexPattern = /[0-9a-fA-F]{4,}/
    condition:
        all of ($hexPattern) and $xorKey
}

Behavioral Detection

Unusual Terminal Usage: A non‑admin user launching wt.exe or cmd.exe.
In‑Memory Execution: Process creation without associated file on disk (e.g., PowerShell running a script block).
Cryptocurrency RPC Traffic: Encrypted HTTPS traffic to IPs/domains associated with known blockchain nodes.
MSBuild Abuse: Execution of MSBuild.exe outside of build environments.

Mitigation & Remediation

Priority	Action	Rationale
1	Disable Run dialog (Win+R) for non‑admin users via Group Policy (`User Configuration → Administrative Templates → System → Prevent access to the Run dialog`).	Removes primary vector.
2	Restrict Windows Terminal (`wt.exe`) via AppLocker or Software Restriction Policies.	Prevents execution of malicious commands.
3	Enforce Application Whitelisting for 7‑Zip, PowerShell, cmd.exe, MSBuild.exe.	Blocks renamed binaries and LOLBin abuse.
4	Deploy Microsoft Defender XDR with built‑in ClickFix signatures.	Detects multi‑stage chain.
5	Enable PowerShell Script Block Logging (`Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" -Name "EnableScriptBlockLogging" -Value 1`).	Captures decoded scripts.
6	Block outbound connections to known cryptocurrency RPC endpoints (e.g., via firewall or DNS filtering).	Stops exfiltration.
7	Conduct user education on fake security warnings, CAPTCHAs, and troubleshooting prompts.	Reduces social‑engineering success.
8	Monitor `%AppData%\Local` and `%TEMP%` for batch or VBS files with `/launched` flag.	Early detection of stage 7.

Timeline

2025‑08‑21 – Microsoft blog detailing ClickFix technique and evolution.
2026‑02 – Yahoo article reports attackers using Windows Terminal instead of Run dialog.
2026‑03 – HackerNews article discloses new widespread ClickFix campaign leveraging Windows Terminal.

Karma-X Blog