ClickFix Social Engineering Campaign: Multi-Loader Attack Ch

Type	Value	Context	Confidence
DOMAIN	docusign-impersonation lures (specific domains not published in available sources)	Fake DocuSign sites used to deliver ClickFix clipboard-hijacking prompts and NetSupport RAT; specific domains not available in sources referenced for this item	low
DOMAIN	gitcode-impersonation lures (specific domains not published in available sources)	Fake GitCode sites used as secondary delivery point for NetSupport RAT via ClickFix; specific domains not available in sources referenced for this item	low
HASH	not available — no file hashes published in sources referenced for this item	Hashes for NetSupport RAT loader, Latrodectus dropper, and Lumma Stealer samples were not included in the source material available; query threat intelligence platforms (VirusTotal, MalwareBazaar) for current samples	low

Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

A social engineering technique called ClickFix has become a primary initial access method in nearly a dozen confirmed incident response engagements in 2025, delivering remote access trojans and credential-stealing malware across multiple industries. Attackers impersonate trusted brands including DocuSign and Okta to trick employees into manually running malicious commands, bypassing email security, endpoint detection, and perimeter controls without any exploit or malicious file attachment. The business risk is direct: successful compromise leads to persistent remote access, credential theft, and potential ransomware staging, with no technical vulnerability to patch.