ClickFix is a social engineering targeting macOS, first discovered in 2024. ClickFix is a social engineering technique where malicious websites display fake error messages — broken CAPTCHAs, browser errors, or system alerts — and instruct the user to 'fix' the problem by copying a command and pasting it into Terminal (macOS) or the Run dialog (Windows). The pasted command downloads and executes malware, typically an infostealer like Atomic Stealer or Lumma Stealer. Because the user initiates the execution, ClickFix bypasses Gatekeeper, XProtect, and other automated defenses. CoreLock detects this threat using CoreLock detects ClickFix attacks through behavioral analysis of newly spawned processes after Terminal execution, monitoring for rapid download-and-execute patterns, flagging suspicious outbound connections to unknown command-and-control servers, and detecting LaunchAgent persistence installation typical of ClickFix infostealer payloads.
Also known as: Click-Fix, FakeFix, ClearFake variant
ClickFix is a social engineering technique where malicious websites display fake error messages — broken CAPTCHAs, browser errors, or system alerts — and instruct the user to 'fix' the problem by copying a command and pasting it into Terminal (macOS) or the Run dialog (Windows). The pasted command downloads and executes malware, typically an infostealer like Atomic Stealer or Lumma Stealer. Because the user initiates the execution, ClickFix bypasses Gatekeeper, XProtect, and other automated defenses.
Malicious or compromised websites displaying fake error dialogs
Fake CAPTCHA verification pages that instruct users to run a 'verification' command
Phishing emails linking to pages with fake browser update prompts
Malvertising campaigns redirecting to ClickFix landing pages
Compromised legitimate sites injected with ClickFix overlay scripts
A website asking you to copy and paste a command into Terminal
A CAPTCHA or verification page that requires running a shell command
Clipboard contents changing after clicking a button on a webpage
Unexpected Terminal or command-line activity after visiting a website
New LaunchAgent plist files appearing after following website instructions
Disable Wi-Fi and disconnect Ethernet to prevent any downloaded malware from communicating with command-and-control servers or exfiltrating your data.
Open Activity Monitor and look for any processes you don't recognize, especially those using high CPU or network. Force quit anything suspicious. Also run 'ps aux' in Terminal to check for hidden processes.
Check ~/Library/LaunchAgents/ and /Library/LaunchAgents/ for any plist files created around the time you ran the command. Move them to the Desktop (not Trash) and restart your Mac.
The ClickFix page may have installed browser extensions. Check Safari Extensions, Chrome extensions (chrome://extensions), and Firefox Add-ons. Remove anything you don't recognize.
If you ran a ClickFix command, assume your Keychain and browser passwords have been compromised. Change passwords for email, banking, and critical accounts from a phone or separate computer immediately.
Run a full CoreLock scan to detect any residual malware, suspicious processes, unauthorized network connections, or persistence mechanisms installed by the ClickFix payload.
Never copy and paste commands from websites into Terminal — legitimate sites never ask for this
Any website claiming your browser needs a 'fix' via Terminal command is malicious
Use an ad blocker to prevent malvertising redirects to ClickFix pages
Keep macOS updated to ensure XProtect has the latest infostealer signatures
Use CoreLock to detect anomalous process and network behavior from ClickFix payloads
Real-time Detection
CoreLock detects ClickFix attacks through behavioral analysis of newly spawned processes after Terminal execution, monitoring for rapid download-and-execute patterns, flagging suspicious outbound connections to unknown command-and-control servers, and detecting LaunchAgent persistence installation typical of ClickFix infostealer payloads.
Stealer — Atomic Stealer (AMOS) is a sophisticated macOS information stealer sold as malwa...
Stealer — Banshee Stealer is a macOS information stealer that emerged in mid-2024, initial...
Stealer — Realst is a macOS information stealer written in Rust that targets cryptocurrenc...
ClickFix is a social engineering technique where a malicious website tricks you into running a Terminal command on your Mac. The site shows a fake error — a broken CAPTCHA, browser error, or system alert — and provides a 'fix' that involves pasting a command into Terminal. That command downloads and installs malware, usually an infostealer that harvests your passwords, cookies, and cryptocurrency wallets.
No. ClickFix bypasses Gatekeeper because the user manually executes the command in Terminal — there's no downloaded app for Gatekeeper to check. XProtect may catch known payloads, but new variants often evade signature detection. The attack works precisely because it turns the user into the execution mechanism, sidestepping macOS's automated protections.
If you recently pasted a command from a website into Terminal and saw unexpected output (downloading files, error messages, or no visible output at all), you may have been compromised. Check Activity Monitor for unknown processes, look in ~/Library/LaunchAgents/ for new plist files, and monitor for unusual network activity. Run a CoreLock scan for a comprehensive check.
ClickFix is effective because it turns the user into the attack vector, bypassing all automated security controls. It requires minimal infrastructure (just a webpage), works across macOS and Windows, and can deliver any payload. The social engineering is convincing because users are accustomed to following on-screen instructions to fix technical problems.
Download CoreLock to detect and remove ClickFix and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows