ClickFix Malware Targets macOS With Fake Disk Cleanup Utilities
Key Takeaways A new macOS malware campaign, dubbed “ClickFix,” leverages fake disk cleanup and system utility lures to trick users into executing malicious commands. The campaign bypasses...
Key Takeaways
- A new macOS malware campaign, dubbed “ClickFix,” leverages fake disk cleanup and system utility lures to trick users into executing malicious commands.
- The campaign bypasses Apple’s Gatekeeper security by instructing users to paste commands directly into Terminal, leading to the silent installation of infostealers.
- ClickFix aims to steal highly sensitive data, including iCloud credentials, browser passwords, cryptocurrency wallet keys, and can even replace legitimate crypto apps with malicious versions.
- Microsoft researchers have been tracking three distinct ClickFix campaign types since January 2026, all focused on data exfiltration and persistent system access.
- Apple has updated XProtect signatures and introduced a paste-blocking prompt in macOS 26.4 to mitigate this threat, but user vigilance remains paramount.
A sophisticated new cyberattack campaign, named ClickFix, is actively targeting macOS users by masquerading as legitimate system maintenance tools. Threat actors behind ClickFix are exploiting user trust in system utilities and common troubleshooting advice to deploy infostealers and establish persistent access on compromised machines. This tactic involves tricking users into manually executing dangerous commands directly within their Terminal application, a method that circumvents standard macOS security features.
Table Of Content
Researchers at Microsoft have been closely monitoring the evolution of this threat since at least January 2026. Their analysis reveals three distinct campaign variations, all sharing the overarching objective of stealing sensitive data, maintaining control over infected systems, and exfiltrating a wide array of personal information, including saved passwords, browser credentials, cryptocurrency wallet keys, and iCloud data.
A critical aspect of the ClickFix campaign’s effectiveness lies in its ability to bypass Apple’s built-in security mechanisms. macOS typically employs Gatekeeper, a security feature designed to verify applications before they are launched. However, when users are instructed to paste and execute commands directly into the Terminal, this verification process is entirely bypassed, providing attackers with a direct and low-friction pathway to compromise devices.
The scope of data exfiltration is extensive and deeply personal. Depending on the specific variant of the ClickFix malware that infects a system, attackers can harvest iCloud account information, stored browser passwords, Keychain entries, personal media files, Telegram data, and cryptocurrency wallet details. In some particularly insidious instances, the malware goes further by replacing legitimate cryptocurrency wallet applications such as Trezor Suite, Ledger Live, and Exodus with fake, attacker-controlled versions. These fraudulent applications are designed to silently intercept and reroute all future transactions, leading to significant financial losses for victims.
How the Fake Utility Lures Work
The initial lures employed in the ClickFix campaign are meticulously designed to appear as authentic support content. Fake blog posts, hosted on platforms like Medium (e.g., macos-disk-space[.]medium[.]com) and Craft (e.g., macclean[.]craft[.]me), mimic genuine macOS troubleshooting guides. These deceptive posts instruct users to copy and paste specific commands into their Terminal to “resolve” common macOS issues, such as low disk space. Similar fraudulent pages have also been observed on standalone websites with seemingly official and trustworthy domain names.
![ClickFix instruction hosted on macclean[.]craft[.]me (Source - Microsoft)](https://hackersradar.com/wp-content/uploads/2026/05/content_1778137261_7554.jpg)
Once the user executes the provided Terminal command, a hidden script is decoded and initiates a multi-stage infection process. In the “loader” campaign variant, a shell script first performs system fingerprinting, gathering details like keyboard locale and operating system version, before establishing communication with an attacker-controlled command-and-control (C2) server.
The “script” campaign variant sees the malware actively searching for a live C2 server. If direct communication fails, it employs a Telegram bot as a fallback mechanism to dynamically locate an operational C2. The “helper” campaign, on the other hand, deploys a concealed executable, typically named “helper” or “update,” which establishes a persistent backdoor on the system, ensuring it launches silently with every device restart.
Infostealer Payloads and Persistence
Microsoft researchers have confirmed the deployment of three distinct infostealer families within the ClickFix campaign: Macsync, Shub Stealer, and AMOS. Upon successful infiltration, these infostealers follow a similar operational procedure. They typically prompt the user to enter their macOS password under the guise of requiring administrative permissions to complete a utility installation. After capturing and validating the password, the malware proceeds to harvest sensitive data from various locations across the machine.

To ensure persistence across system reboots, the ClickFix campaigns leverage macOS LaunchAgents and LaunchDaemons. These are legitimate background processes designed to start automatically when the system boots. One campaign variant cleverly disguises its persistence component as a Google software update agent, utilizing a plist file named com.google.keystone.agent.plist to blend in with legitimate system processes. The “helper” campaign takes this a step further by deploying a hidden backdoor named .mainhelper, complemented by a supervisor script called .agent, which automatically relaunches the backdoor if its process is terminated.
In response to this threat, Apple has updated its XProtect signatures to detect ClickFix malware. Furthermore, macOS 26.4 introduced a new paste-blocking prompt. This security feature warns users when a potentially malicious command is about to be pasted into Terminal, providing an additional layer of defense against such social engineering tactics.
What You Should Do
- Never Paste Unknown Commands: Absolutely refrain from copying and pasting commands from untrusted or unverified online sources directly into your Terminal application.
- Verify Sources: Always verify the legitimacy of any troubleshooting guide or utility recommendation. Stick to official Apple support documentation or reputable software vendors.
- Enable Paste Blocking: Ensure your macOS is updated to version 26.4 or later to benefit from the new paste-blocking prompt in Terminal.
- Monitor for Suspicious Activity: For security teams, monitor for unusual
curlactivity, flag command sequences involvingosascript, Base64 decoding, and Gunzip, and detect unauthorized access attempts to Keychain data and browser credential stores. - Use Reputable Security Software: Employ robust antivirus and anti-malware solutions that specifically support macOS to detect and block known threats.
- Regularly Backup Data: Maintain regular backups of critical data to an external or cloud-based storage solution.
- Educate Users: Conduct ongoing cybersecurity awareness training for all users, emphasizing the dangers of social engineering and the importance of scrutinizing online instructions.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
|---|---|---|
| Domain | cleanmymacos[.]org | Distribution of ClickFix instructions |
| Domain | mac-storage-guide.squarespace[.]com | Distribution of ClickFix instructions |
| Domain | claudecodedoc[.]squarespace[.]com | Distribution of ClickFix instructions |
| Domain | domenpozh[.]net | Distribution of ClickFix instructions |
| Domain | macos-disk-space[.]medium[.]com | Distribution of ClickFix instructions |
| Domain | macclean[.]craft[.]me | Distribution of ClickFix instructions |
| Domain | apple-mac-fix-hidden[.]medium[.]com | Distribution of ClickFix instructions |
| Domain | rapidfilevault4[.]sbs | Loader campaign payload delivery and C2 |
| Domain | coco-fun2[.]com | Loader campaign payload delivery and C2 |
| Domain | nitlebuf[.]com | Loader campaign payload delivery and C2 |
| Domain | yablochnisok[.]com | Loader campaign payload delivery and C2 |
| Domain | mentaorb[.]com | Loader campaign payload delivery and C2 |
| Domain | seagalnssteavens[.]com | Loader campaign payload delivery and C2 |
| Domain | filefastdata[.]com | Loader campaign payload delivery and C2 |
| Domain | metramon[.]com | Loader campaign payload delivery and C2 |
| Domain | octopixeldate[.]com | Loader campaign payload delivery and C2 |
| Domain | datasphere[.]us[.]com | Loader campaign payload delivery and C2 |
| Domain | rapidfilevault5[.]sbs | Loader campaign payload delivery and C2 |
| Domain | dialerformac[.]com | Loader campaign payload delivery and C2 |
| Domain | swift-sh[.]com | Loader campaign payload delivery and C2 |
| Domain | 0x666[.]info | Script campaign C2 and exfiltration |
| Domain | honestly[.]ink | Script campaign C2 and exfiltration |
| Domain | pla7ina[.]cfd | Script campaign C2 and exfiltration |
| Domain | play67[.]cc | Script campaign C2 and exfiltration |
| IP Address | 95.85.251[.]177 | Script campaign payload delivery, C2, and exfiltration |
| URL | hxxps://cauterizespray[.]icu/script[.]sh | Script campaign payload delivery |
| URL | hxxps://enslaveculprit[.]digital/script[.]sh | Script campaign payload delivery |
| URL | hxxps://resilientlimb[.]icu/script[.]sh | Script campaign payload delivery |
| URL | hxxps://t[.]me/ax03bot | Script campaign fallback C2 Telegram bot |
| Domain | rvdownloads[.]com | Helper campaign payload delivery |
| Domain | famiode[.]com | Helper campaign payload delivery |
| Domain | contatoplus[.]com | Helper campaign payload delivery |
| Domain | woupp[.]com | Helper campaign payload delivery |
| Domain | octopox[.]com | Helper campaign payload delivery |
| URL | hxxp://138.124.93[.]32/contact | Helper campaign exfiltration endpoint |
| URL | hxxp://168.100.9[.]122/contact | Helper campaign exfiltration endpoint |
| URL | hxxp://199.217.98[.]33/contact | Helper campaign exfiltration endpoint |
| URL | hxxp://38.244.158[.]103/contact | Helper campaign exfiltration endpoint |
| URL | hxxps://avipstudios[.]com/contact | Helper campaign exfiltration endpoint |
| URL | hxxps://joytion[.]com/contact | Helper campaign exfiltration endpoint |
| URL | hxxps://laislivon[.]com/contact | Helper campaign exfiltration endpoint |
| Domain | reachnv[.]com | Update install variant delivery |
| Domain | vagturk[.]com | Update install variant delivery |
| Domain | futampako[.]com | Update install variant delivery |
| Domain | joeyapple[.]com | Update install variant delivery |
| IP Address | 45.94.47[.]204 | Bot communication IP address |
| Domain | wusetail[.]com | Hosting bot payload |
| Domain | aforvm[.]com | Hosting bot payload |
| Domain | ouilov[.]com | Hosting bot payload |
| Domain | malext[.]com | Hosting bot payload |
| Domain | rebidy[.]com | Hosting bot payload |
| SHA-256 | 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767 | Payload hash |
| SHA-256 | 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae | Payload hash |
| SHA-256 | 241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05 | Payload hash |
| SHA-256 | 522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e | Payload hash |
| File Path | /tmp/helper | Malware staging folder |
| File Path | /tmp/starter | Malware plist staging folder |
| File Path | ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate | Malicious file masquerading as Google Update |
| Plist Name | ~/LaunchAgents/com.google.keystone.agent.plist | Staged plist running malicious executable |
| Plist Name | ~/Library/LaunchAgents/com.<random value>.plist | Staged plist running malicious executable |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.