ClickFix Campaigns Targeting Windows and macOS

Insikt Group documents the ClickFix social-engineering technique across five distinct clusters (impersonating QuickBooks, Booking.com, Birdeye, dual-platform selection, and macOS storage cleaning) that coerce victims into executing obfuscated commands in native shells to download and run payloads (notably NetSupport RAT and multiple information stealers); the report provides detailed TTP analysis, extensive IOCs (domains, IPs, SHA256 hashes), observed infrastructure patterns, and recommended mitigations such as disabling the Windows Run dialog, enforcing PowerShell Constrained Language Mode, and operationalizing HTML/content threat monitoring.