Just in:
UK sets overnight social media curfew for teens // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // Gadkari’s Ethanol Defence Is Losing The Public Argument // Paymentology and T2P partner to accelerate the future of card issuing in Thailand // Dubai-Botswana pact opens new commodity trade corridor // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // Rival cyber spies penetrate Pakistan police networks // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Guardian Fire expands Midwest reach with Nebraska deal // EU prosecutors examine subsidies linked to Babiš // AI tools sharpen cybercrime as quishing surges // Trump scraps Hormuz levy but tightens Iran blockade // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Fynd brings AI fashion platform to Gulf // Dubai weighs turning organic waste into aviation fuel // Revolut clears first hurdle for Dubai crypto launch // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // Iran widens energy threat as Hormuz battle escalates // Central & Western District Youth-to-Career Explo Connects Hong Kong Youth to Future Careers in AI Era //

Bogus Mac cleaners widen stealer threat

Mac users are being targeted by a widening ClickFix campaign that disguises malicious commands as disk-cleaning and system-maintenance advice, turning routine troubleshooting into a route for credential theft, wallet compromise and cloud-data exposure.

The attacks use pages that appear to offer help with storage optimisation, system clean-up or utility installation. Victims are instructed to copy commands into Terminal, or in some variants to trigger Apple’s Script Editor, under the impression that they are reclaiming disk space or installing trusted helper tools. Instead, the commands fetch remote scripts that install infostealers including Macsync, Shub Stealer and Atomic macOS Stealer, known as AMOS.

ADVERTISEMENT

The shift marks a notable evolution in ClickFix tactics. Earlier campaigns often pushed disk image files that required users to download and install an application manually. The newer activity reduces dependence on traditional malware delivery by persuading the victim to run native macOS tools directly. That approach helps attackers sidestep some familiar warnings because the execution appears to originate from the user’s own action rather than from an unsolicited attachment or conventional exploit.

Once installed, the malware is designed to collect browser credentials, Keychain entries, iCloud data, documents, media files, application tokens and cryptocurrency wallet material. Some variants go further by replacing legitimate wallet applications with trojanised versions or installing persistence mechanisms that allow attackers to return to the machine. The risk is especially acute for developers, finance professionals, cryptocurrency users and employees working across mixed macOS and Windows environments.

The lures have become more polished. Fake clean-up pages imitate Apple-style language and visual cues, while other campaigns have used fake CAPTCHA checks, software repositories, search results and AI-assisted troubleshooting prompts. The common thread is simple: attackers tell users that a short command will fix a problem. The command instead becomes the infection chain.

Security researchers have also identified variants that avoid Terminal altogether. One macOS attack used the applescript URL scheme to open Script Editor from the browser, presenting a pre-filled script that appeared to perform storage optimisation. This tactic matters because Apple has added more friction around commands pasted into Terminal, pushing attackers to test alternative execution paths while keeping the social-engineering pitch intact.

The technique’s effectiveness lies in its low technical barrier. ClickFix does not need a zero-day vulnerability or a complex phishing attachment. It exploits trust in familiar troubleshooting workflows and the perception that macOS remains safer than other operating systems. That perception is increasingly outdated as commercial stealer kits for macOS mature and become easier for criminal groups to deploy.

Macsync and Shub Stealer have shown signs of iterative development, with operators adding evasion, tracking and persistence features. AMOS has already been widely used in campaigns targeting cryptocurrency users, software developers and online-service accounts. The appearance of multiple malware families in similar ClickFix chains suggests that the delivery model is being adopted as a reusable access method rather than a one-off tactic.

The campaign also highlights the role of popular content and hosting platforms in modern malware distribution. Attackers benefit when malicious instructions are placed where users expect technical guidance, whether through cloned help pages, poisoned search results, fake project repositories or pages mimicking verification services. The command may be the payload trigger, but the surrounding page supplies the credibility.

For organisations, the threat complicates user training. Traditional warnings about suspicious attachments and unknown downloads are no longer sufficient when the user is told to run a command as part of a supposed fix. Endpoint monitoring needs to pay closer attention to unusual use of curl, bash, zsh, osascript, AppleScript, LaunchAgents and scripts writing binaries to temporary directories. Network telemetry can also help flag connections to newly registered domains or command-and-control infrastructure after a user visits a troubleshooting page.

Apple’s expanding security controls add friction, but the campaign shows that attackers adapt quickly. Gatekeeper, quarantine flags and paste warnings are useful safeguards, yet they can be weakened when users are coached through the process step by step. The most reliable defence remains a combination of technical controls, browser protection, endpoint detection, least-privilege settings and clear rules against executing copied commands from web pages.



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Inflation In India Rising Sharply Since January 2026, Highest In June // TrendAI™ Named a Champion for the Fourth Consecutive Year in Omdia’s Global Cybersecurity Platform Ecosystems Leadership Matrix 2026 // Iran widens energy threat as Hormuz battle escalates // Louis Vuitton Celebrates 130 Years of the Monogram // Dubai weighs turning organic waste into aviation fuel // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // De Beers halts Venetia output amid diamond slump // Dubai-Botswana pact opens new commodity trade corridor // AI tools sharpen cybercrime as quishing surges // Gadkari’s Ethanol Defence Is Losing The Public Argument // US missiles disable tanker bound for Iran // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Guardian Fire expands Midwest reach with Nebraska deal // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // “Achievements of National Aerospace Endeavours” Thematic Exhibition Makes First Stop at Hong Kong Science Park // Rival cyber spies penetrate Pakistan police networks // Paymentology and T2P partner to accelerate the future of card issuing in Thailand // UK sets overnight social media curfew for teens // Launch ceremony of third edition of Hong Kong Fashion Fest Held on July 9 //