The ClickFix social engineering technique has become the leading means of cybercriminals delivering malware to victims.

According to analysis by researchers at ReliaQuest, which examined cyber-attacks taking place between March 1 and May 31, 2026, ClickFix dominated malware delivery.

ClickFix is a potent attack vector, because it socially engineers the victim into pasting attacker-supplied commands into trusted system dialogs.

In ClickFix-style attacks, the user enters the command, which  bypasses many anti-virus and cyber defense tools that categorize the action as legitimate.

One of the most common social engineering tricks deployed by ClickFix attacks is to use compromised websites to generate a fake CAPTCHA page which asks users to verify they are human by entering a command. This command is used to execute PowerShell code and retrieve infostealers or other malware payloads which then secretly compromise the victim.

During the reporting period,  ClickFix was deployed to deliver many forms of malware, including Deepload malware, to Windows systems.

This method observed to be deployed to deliver Atomic Stealer (AMOS) malware to macOS users for the first time. AMOS malware attacks are typically designed to steal browser credentials, session cookies, crypto wallets and keychain data.

This attack used a browser-triggered workflow to launch Script Editor, which is where the user is encouraged to enter commands. Attackers haven chosen to target Script Editor for this following an Apple update which attempted to counter ClickFix attacks by introducing a security feature that scans commands pasted into Terminal before they're executed and warns the user that the command could be malicious.

“For enterprises, macOS must no longer be treated as lower risk and now needs the same monitoring and response coverage as Windows,” the ReliaQuest report warned.

To help counter the threat of ClickFix attacks, ReliaQuest recommended that organizations train users against ClickFix on Windows and macOS.

This training could involve teaching users not to paste commands into Run, Terminal, or Script Editor, as well as simulating ClickFix-style lures on both Windows and macOS during training exercises.

Meanwhile, network administrators can help prevent users from being able to fall victim to ClickFix attacks by restricting use of run dialog and clipboard, restricting execution of potentially malicious executables and blocking access to potentially malicious adverts and websites.