[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$farCpg6YbzdK6dBw3gwQ8sgwHFBF8VlHBOEsDoFnAc40":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"3dc8831d-8810-48f5-9312-b03718f46bad","ClickFix campaign uses fake macOS utilities lures to deliver infostealers","clickfix-campaign-uses-fake-macos-utilities-lures-to-deliver-infostealers-d08e65","Threat actors are targeting macOS users with fake utility fixes that trick them into running malicious Terminal commands. This campaign evades traditional defenses by stealing credentials, wallets, and sensitive data. The post ClickFix campaign uses fake macOS utilities lures to deliver infostealers appeared first on Microsoft Security Blog.","Microsoft Security researchers report on an evolving ClickFix campaign targeting macOS users with fake utility fixes that trick them into running malicious Terminal commands. The threat actors distribute infostealers like Macsync, Shub Stealer, and AMOS that steal credentials, iCloud data, Keychain entries, and cryptocurrency wallet keys. The campaign has shifted from .dmg file delivery to direct Terminal command execution, bypassing Gatekeeper verification and leveraging native macOS utilities.","ClickFix campaign targets macOS users with fake utility lures delivering infostealers via Terminal commands.","Share Link copied to clipboard! Tags ClickFixmacOS Content types Research Products and services Microsoft DefenderMicrosoft Defender Experts for XDR Topics Actionable threat insights Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix‑style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites. These commands, which are purported to install system utilities, load an infostealing malware like Macsync, Shub Stealer, and AMOS into the targets’ devices instead. The malware then collects and exfiltrates data, including media files, iCloud data and Keychain entries, and cryptocurrency wallet keys. In some campaigns, the malware replaces legitimate cryptocurrency wallet apps with trojanized versions, putting users at an added security risk. Prior iterations of this campaign delivered the infostealers through disk image (.dmg) files that required users to manually install an application. This recent activity reflects a shift in tradecraft, where threat actors instruct users to run Terminal commands that leverage native utilities to retrieve remotely hosted content, followed by script‑based loader execution. Unlike application bundles opened through Finder—which might be subjected to Gatekeeper verification checks such as code signing and notarization—scripts downloaded and launched directly through Terminal (for example, by using osascript or shell interpreters) don’t undergo the same evaluation. This delivery mechanism enables attackers to initiate malware execution through user‑driven command invocation, reducing reliance on traditional application delivery methods and increasing the likelihood of successful execution. In this blog, we take a look at three campaigns that use this new tradecraft. We also provide mitigation guidance and detection details to help surface this threat. Activity overview Initial access Standalone websites were seen hosting pages that included a Base64-encrypted instruction for end users to run. Some sites present this information in multiple languages. As of this writing, these websites that we’ve observed are either already down or have been reported. Figure 1: Landing page of a script campaign (domenpozh[.]net) Figure 2. ClickFix instructions hosted on mac-storage-guide.squarespace[.]com. Figure 3. mac-storage-guide.squarespace[.]com page was seen presenting content in different languages, such as Japanese. In other instances, content that included instructions leading to malware were observed to be hosted on Craft, a note-taking platform that lets writers and content creators take notes and distribute their content. We’ve observed that pages like macclean[.]craft[.]me were taken down relatively quickly. Figure 4. ClickFix instruction hosted on macclean[.]craft[.]me. Threat actors were also publishing fake troubleshooting posts on the popular blogging site Medium to distribute ClickFix instructions. These posts claim to solve common macOS problems. Blog sites such as macos-disk-space[.]medium[.]com instruct users to “fix” an issue by pasting a command into Terminal. The command then decodes and runs an AppleScript or Bash loader. These blogs were reported and taken down quickly. We observed three distinct execution paths leveraging different infrastructure. We’re classifying these as a loader install campaign, a script install campaign, and a helper install campaign. In the loader and helper campaigns, we observed that a random seven-digit value (hereinafter referred to as random IDs), was used in data staging, marking the staging folders as \u002Ftmp\u002Fshub_\u003Crandom ID> or\u002Ftmp\u002F\u003Crandom ID>. The underlying goal remains the same in these campaigns: sensitive data collection, persistence, and exfiltration. The following table summarizes the key differences between the campaigns. We discuss the details of each of these campaigns in the succeeding sections of this blog. Activity or techniqueLoader campaign Script campaignHelper campaignInitial installationNo file written on disk No file written on disk\u002Ftmp\u002Fhelper \u002Ftmp\u002FupdateCondition to exit executionRussian keyboard detected Failure to resolve an active command-and-control (C2) endpoint (all infrastructure checks fail)Sandbox detectedData staging\u002Ftmp\u002Fshub_\u003Crandom ID>\u002Ftmp\u002Fout.zipNone\u002Ftmp\u002F\u003Crandom ID>\u002Ftmp\u002Fout.zipPersistence (Plist file created)~\u002FLaunchAgents\u002Fcom.google.keystone.agent.plist ~\u002FLaunchAgents\u002Fcom.\u003Crandom value>.plistLibrary\u002FLaunchDaemons\u002Fcom.finder.helper.plistBot executionPayload: \u002FGoogleUpdateC2 pattern: \u003CC2 domain >\u002Fapi\u002Fbot\u002FheartbeatResolves active C2 through hardcoded infrastructure and Telegram fallback C2 domain: https:\u002F\u002Ft[.]me\u002Fax03botPayload: \u002F.agentC2 domain: hxxp:\u002F\u002F45.94.47[.]204\u002Fapi\u002FExfiltration\u003CC2 domain>\u002Fapi\u002Fdebug\u002Fevent\u003CC2 domain>\u002Fgate\u002Fchunk\u003CC2 domain>\u002Fupload.php\u003CC2 domain>\u002FcontactTrojanized cryptocurrency appsTrezor Suite.appLedger Wallet.appExodus.app Not applicable (handled in later loader\u002Fpayload stages)Trezor Suite.appLedger Wallet.app Loader install campaign Since February 2026, Microsoft researchers have observed a campaign that requests a loader shell from the attacker’s infrastructure using curl once a user copies and runs ClickFix commands using Terminal. It leads to further execution of a second-stage shell script. This second shell script is a zsh loader that decodes and decompresses an embedded payload using Base64 and Gzip, respectively. It then executes the payload using eval. Figure 5: Shell loader. The next-stage script also functions as a macOS reconnaissance and execution ‑control loader that first fingerprints the system by collecting the following information: Keyboard locale Hostname Operating system version External IP address It then builds and sends a JSON object to an attacker‑controlled server containing an event name (loader_requested or cis_blocked) along with this telemetry. It also uses the presence of Russian\u002FCIS keyboard layouts as a deliberate kill switch, reporting a cis_blocked event and stop the execution. Figure 6: Reconnaissance loader with CIS kill switch. If the system isn’t blocked, the script silently beacons a “loader requested” event and then downloads and executes a remote AppleScript payload directly in memory using osascript. Figure 7: Reconnaissance loader with AppleScript payload delivery. AppleScript infostealer This multi-stage macOS AppleScript stealer employs user interaction-based credential capture, conducts broad data collection across browsers, Keychains, messaging applications, wallet artifacts, and user documents, and stages the collected data into a compressed archive for exfiltration to a remote endpoint. The malware further tampers with locally installed applications to intercept sensitive data, establishes persistence through a masqueraded LaunchAgent that mimics legitimate software updates, and maintains remote command execution capabilities by periodically polling a server for instructions, which are executed at runtime. Data collection: tmp\u002Fshub_\u003Crandom ID> staging We observed that the stealer self-identifies as “SHub Stealer” (it writes the marker SHub into its staging directory). It prompts the target user to enter their password, pretending to install a “helper” utility. It then validates the entered password using the command dscl . -authonly \u003Cusername>. Upon successful validation, it sends a password_obtained event to its C2 infrastructure. The malware stages collected data under a \u002Ftmp\u002Fshub_\u003Crandom ID>\u002F folder. The collected data includes: Browser credentials Notes Media files Telegram data Cryptocurrency wallets Keychain entries iCloud account data The stealer also collects documents smaller than 2 MB and stages them within a FileGrabber repository located at \u002Ftmp\u002Fshub_\u003Crandom I","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F06\u002Fclickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F03\u002FMS_Actional-Insights_Malware-ransomware-1.jpg","2026-05-06T15:20:32+00:00","2026-05-06T18:00:41.257683+00:00",9,[18,21,24,27],{"name":19,"type":20},"ClickFix","campaign",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":26},"macOS","product",{"name":28,"type":26},"Microsoft Defender","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":29,"icon":31,"name":32,"slug":33},null,"Malware","malware",[35,40],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[46,50,53,56,59,63,66,68],{"type":47,"value":48,"context":49},"domain","domenpozh.net","Malicious landing page hosting Base64-encrypted instructions",{"type":47,"value":51,"context":52},"mac-storage-guide.squarespace.com","ClickFix instructions hosted on compromised Squarespace site",{"type":47,"value":54,"context":55},"macclean.craft.me","ClickFix instructions on Craft note-taking platform",{"type":47,"value":57,"context":58},"macos-disk-space.medium.com","Fake troubleshooting posts on Medium distributing ClickFix commands",{"type":60,"value":61,"context":62},"ip","45.94.47.204","C2 endpoint used in helper campaign",{"type":33,"value":64,"context":65},"Macsync","Infostealer malware delivered via ClickFix campaign",{"type":33,"value":67,"context":65},"Shub Stealer",{"type":33,"value":69,"context":65},"AMOS"]