New “ClickFix” Campaign Bypasses Gatekeeper to Hijack macOS Devices

For years, macOS users have relied on community forums, Medium articles, and tech blogs to solve everyday system quirks like freeing up disk space. But threat actors have turned this reliance into a weapon.

According to a new intelligence report from Microsoft, a highly evolved infostealer campaign is actively targeting macOS users through a deceptive social engineering tactic known as ClickFix. Instead of tricking users into downloading sketchy applications, attackers are infiltrating user-driven content platforms to post fake troubleshooting guides. The “fix”? A seemingly benign command that users are instructed to copy and paste directly into their macOS Terminal.

This simple copy-paste action sets off a devastating chain of events, silently loading notorious infostealers like Macsync, Shub Stealer, and AMOS onto the victim’s machine.

Historically, macOS infostealers have relied on malicious disk image (.dmg) files, which require the user to actively install a disguised application. However, modern macOS defenses, particularly Gatekeeper, have made this difficult by enforcing code signing and notarization checks.

To circumvent this, attackers have radically shifted their delivery mechanisms. As the Microsoft researchers note, “Unlike application bundles opened through Finder—which might be subjected to Gatekeeper verification checks such as code signing and notarization—scripts downloaded and launched directly through Terminal (for example, by using osascript or shell interpreters) don’t undergo the same evaluation.”

By convincing the user to execute the command themselves, the attackers effectively bypass native Apple security warnings. “This delivery mechanism enables attackers to initiate malware execution through user-driven command invocation, reducing reliance on traditional application delivery methods and increasing the likelihood of successful execution,” the report explains.

Microsoft researchers have tracked this activity across three distinct execution paths, each leveraging unique infrastructure and evasion tactics:

1. The Loader Install Campaign

Active since February 2026, this variant uses a curl command to fetch a shell script that acts as a sophisticated reconnaissance tool.

• The CIS Kill Switch: Before executing its payload, the script fingerprints the system’s hostname, OS version, and keyboard locale. If it detects a Russian or CIS (Commonwealth of Independent States) keyboard layout, it triggers a kill switch, reports a cis_blocked event to the attacker’s server, and stops execution.
• Deep Theft & Trojanized Wallets: If the system is deemed a valid target, the malware downloads an AppleScript payload directly into memory. It aggressively hunts for Keychain entries, iCloud data, and cryptocurrency wallets. Alarmingly, the stealer replaces legitimate crypto wallet applications (like Ledger Wallet, Trezor Suite, and Exodus) with trojanized .zip versions fetched from the command-and-control (C2) server, allowing attackers to silently siphon funds during future transactions.
• 2. The Script Install Campaign

First observed in April 2026, this campaign is a masterclass in fileless execution.

• Network Stream Execution: The retrieved script is launched directly from the network stream without ever being written to the victim’s disk.
• Telegram Fallback: The heavily obfuscated AppleScript acts as a C2 orchestrator. It first probes a hardcoded list of server identifiers. If those fail, it falls back to querying a specific Telegram bot page to extract a hidden server identifier embedded in the HTML, granting the attackers highly resilient, dynamic infrastructure.

3. The Helper Install Campaign (AMOS)

This variant drops a Mach-O executable disguised as a “helper” or “update” into the /tmp/ directory.

• Virtualization Evasion: The initial stager checks system memory and hardware profiles for virtualization indicators (like QEMU, VMware, or generic “Intel Core 2” profiles) to evade security researchers and sandboxes.
• Root-Level Backdoor: For ultimate persistence, the malware downloads a backdoor implant named .mainhelper and a supervisor wrapper named .agent. By prompting the user for their password, it creates a Launch Daemon (com.finder.helper.plist) that runs the agent wrapper with full root privileges upon every system boot.

For IT administrators and macOS users alike, never copy and paste arbitrary Terminal commands from unverified web sources, no matter how helpful the troubleshooting guide appears to be.