ClickFix Attack Targets macOS with Fake Disk Cleanup Lures

A new wave of cyberattacks is targeting macOS users, employing a familiar deception. Threat actors are disguising their malware as legitimate disk cleanup tools and system utilities, tricking individuals into executing dangerous commands directly on their own machines. This tactic is detailed in a recent report on the

Microsoft researchers identified this threat and have been closely tracking its evolution since at least January 2026. They observed three distinct campaign types, all sharing the same core goal: steal sensitive data, maintain persistent access to infected systems, and exfiltrate everything from saved passwords and browser credentials to cryptocurrency wallet keys and iCloud data.

What makes this campaign especially dangerous is how it bypasses Apple’s built-in security checks. Normally, macOS uses a verification process called Gatekeeper to review applications before they run.

But when a command is pasted directly into Terminal, that review process does not apply at all, giving attackers a clean and reliable path onto the device with minimal friction or resistance.

The stolen data is extensive and deeply personal. Depending on which campaign version infects the system, attackers can walk away with iCloud data, saved browser passwords, Keychain entries, media files, Telegram data, and cryptocurrency wallet information.

In some cases, the malware goes further by replacing legitimate crypto wallet apps like Trezor Suite, Ledger Live, and Exodus with fake, attacker-controlled versions designed to silently intercept every future transaction.

How the Fake Utility Lures Work

The lures in this campaign are carefully crafted to look like genuine help content. Fake blog posts on Medium mimicked legitimate macOS support guides, with sites like macos-disk-space[.]medium[.]com telling users to paste a command to “fix” their storage issue. Similar pages appeared on Craft, a popular note-taking platform, and on standalone websites carrying names that sounded official and trustworthy.

Once the Terminal command runs, it decodes a hidden script and begins a chain reaction. In the loader campaign, a shell script fingerprints the system by collecting details like keyboard locale and operating system version, then reaches out to an attacker-controlled server.

In the script campaign, the malware searches for a live command-and-control server, and if none respond, it falls back to a Telegram bot to locate one dynamically. The helper campaign deploys a hidden executable named helper or update that sets up a persistent backdoor, running silently every time the device restarts.

Infostealer Payloads and Persistence

Three infostealer families were confirmed active in this campaign: Macsync, Shub Stealer, and AMOS. Each one follows a similar playbook once inside a system. The malware prompts the user to enter their macOS password, pretending it needs permission to complete a utility installation. After capturing and verifying the password, it begins harvesting data from across the machine.

For persistence, the campaigns use LaunchAgents and LaunchDaemons, which are background processes that start automatically on every boot. One campaign disguises its persistence component as a Google software update agent, using a plist file named com.google.keystone.agent.plist to stay hidden in plain sight.

The helper campaign goes even further, deploying a hidden backdoor named .mainhelper alongside a supervisor script called .agent that automatically relaunches it whenever the process stops.

Apple has since updated XProtect signatures to detect this threat, and macOS 26.4 introduced a paste-blocking prompt that warns users when a potentially malicious Terminal command is about to run.

Security teams are advised to monitor for unusual curl activity, flag command sequences involving osascript, Base64, and Gunzip, and detect unauthorized access to Keychain data and browser credential stores. Most importantly, users should never paste instructions copied from online sources into Terminal, no matter how trustworthy the page appears.

Indicators of Compromise (IoCs)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.