Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Chinese Hackers Use Claude, DeepSeek AI in Government Cyberattacks
July 15, 2026
Fake Game Cheats Deliver Warzone RAT to Gamers’ Windows PCs
July 15, 2026
Critical LegacyHive Windows 0-Day Lets Attackers Load Other User Registries
July 15, 2026
Home/Threats/ClickFix Malware Targets macOS With Fake Disk Cleanup Utilities
Threats

ClickFix Malware Targets macOS With Fake Disk Cleanup Utilities

Key Takeaways A new macOS malware campaign, dubbed “ClickFix,” leverages fake disk cleanup and system utility lures to trick users into executing malicious commands. The campaign bypasses...

Sarah simpson
Sarah simpson
May 7, 2026 6 Min Read
57 0

Key Takeaways

  • A new macOS malware campaign, dubbed “ClickFix,” leverages fake disk cleanup and system utility lures to trick users into executing malicious commands.
  • The campaign bypasses Apple’s Gatekeeper security by instructing users to paste commands directly into Terminal, leading to the silent installation of infostealers.
  • ClickFix aims to steal highly sensitive data, including iCloud credentials, browser passwords, cryptocurrency wallet keys, and can even replace legitimate crypto apps with malicious versions.
  • Microsoft researchers have been tracking three distinct ClickFix campaign types since January 2026, all focused on data exfiltration and persistent system access.
  • Apple has updated XProtect signatures and introduced a paste-blocking prompt in macOS 26.4 to mitigate this threat, but user vigilance remains paramount.

A sophisticated new cyberattack campaign, named ClickFix, is actively targeting macOS users by masquerading as legitimate system maintenance tools. Threat actors behind ClickFix are exploiting user trust in system utilities and common troubleshooting advice to deploy infostealers and establish persistent access on compromised machines. This tactic involves tricking users into manually executing dangerous commands directly within their Terminal application, a method that circumvents standard macOS security features.

Table Of Content

  • Key Takeaways
  • How the Fake Utility Lures Work
  • Infostealer Payloads and Persistence
  • What You Should Do

Researchers at Microsoft have been closely monitoring the evolution of this threat since at least January 2026. Their analysis reveals three distinct campaign variations, all sharing the overarching objective of stealing sensitive data, maintaining control over infected systems, and exfiltrating a wide array of personal information, including saved passwords, browser credentials, cryptocurrency wallet keys, and iCloud data.

A critical aspect of the ClickFix campaign’s effectiveness lies in its ability to bypass Apple’s built-in security mechanisms. macOS typically employs Gatekeeper, a security feature designed to verify applications before they are launched. However, when users are instructed to paste and execute commands directly into the Terminal, this verification process is entirely bypassed, providing attackers with a direct and low-friction pathway to compromise devices.

The scope of data exfiltration is extensive and deeply personal. Depending on the specific variant of the ClickFix malware that infects a system, attackers can harvest iCloud account information, stored browser passwords, Keychain entries, personal media files, Telegram data, and cryptocurrency wallet details. In some particularly insidious instances, the malware goes further by replacing legitimate cryptocurrency wallet applications such as Trezor Suite, Ledger Live, and Exodus with fake, attacker-controlled versions. These fraudulent applications are designed to silently intercept and reroute all future transactions, leading to significant financial losses for victims.

How the Fake Utility Lures Work

The initial lures employed in the ClickFix campaign are meticulously designed to appear as authentic support content. Fake blog posts, hosted on platforms like Medium (e.g., macos-disk-space[.]medium[.]com) and Craft (e.g., macclean[.]craft[.]me), mimic genuine macOS troubleshooting guides. These deceptive posts instruct users to copy and paste specific commands into their Terminal to “resolve” common macOS issues, such as low disk space. Similar fraudulent pages have also been observed on standalone websites with seemingly official and trustworthy domain names.

ClickFix instruction hosted on macclean[.]craft[.]me (Source - Microsoft)
ClickFix instruction hosted on macclean[.]craft[.]me (Source – Microsoft)

Once the user executes the provided Terminal command, a hidden script is decoded and initiates a multi-stage infection process. In the “loader” campaign variant, a shell script first performs system fingerprinting, gathering details like keyboard locale and operating system version, before establishing communication with an attacker-controlled command-and-control (C2) server.

The “script” campaign variant sees the malware actively searching for a live C2 server. If direct communication fails, it employs a Telegram bot as a fallback mechanism to dynamically locate an operational C2. The “helper” campaign, on the other hand, deploys a concealed executable, typically named “helper” or “update,” which establishes a persistent backdoor on the system, ensuring it launches silently with every device restart.

Infostealer Payloads and Persistence

Microsoft researchers have confirmed the deployment of three distinct infostealer families within the ClickFix campaign: Macsync, Shub Stealer, and AMOS. Upon successful infiltration, these infostealers follow a similar operational procedure. They typically prompt the user to enter their macOS password under the guise of requiring administrative permissions to complete a utility installation. After capturing and validating the password, the malware proceeds to harvest sensitive data from various locations across the machine.

Reconnaissance loader with AppleScript payload delivery (Source - Microsoft)
Reconnaissance loader with AppleScript payload delivery (Source – Microsoft)

To ensure persistence across system reboots, the ClickFix campaigns leverage macOS LaunchAgents and LaunchDaemons. These are legitimate background processes designed to start automatically when the system boots. One campaign variant cleverly disguises its persistence component as a Google software update agent, utilizing a plist file named com.google.keystone.agent.plist to blend in with legitimate system processes. The “helper” campaign takes this a step further by deploying a hidden backdoor named .mainhelper, complemented by a supervisor script called .agent, which automatically relaunches the backdoor if its process is terminated.

In response to this threat, Apple has updated its XProtect signatures to detect ClickFix malware. Furthermore, macOS 26.4 introduced a new paste-blocking prompt. This security feature warns users when a potentially malicious command is about to be pasted into Terminal, providing an additional layer of defense against such social engineering tactics.

What You Should Do

  • Never Paste Unknown Commands: Absolutely refrain from copying and pasting commands from untrusted or unverified online sources directly into your Terminal application.
  • Verify Sources: Always verify the legitimacy of any troubleshooting guide or utility recommendation. Stick to official Apple support documentation or reputable software vendors.
  • Enable Paste Blocking: Ensure your macOS is updated to version 26.4 or later to benefit from the new paste-blocking prompt in Terminal.
  • Monitor for Suspicious Activity: For security teams, monitor for unusual curl activity, flag command sequences involving osascript, Base64 decoding, and Gunzip, and detect unauthorized access attempts to Keychain data and browser credential stores.
  • Use Reputable Security Software: Employ robust antivirus and anti-malware solutions that specifically support macOS to detect and block known threats.
  • Regularly Backup Data: Maintain regular backups of critical data to an external or cloud-based storage solution.
  • Educate Users: Conduct ongoing cybersecurity awareness training for all users, emphasizing the dangers of social engineering and the importance of scrutinizing online instructions.

Indicators of Compromise (IoCs)

Type Indicator Description
Domain cleanmymacos[.]org Distribution of ClickFix instructions
Domain mac-storage-guide.squarespace[.]com Distribution of ClickFix instructions
Domain claudecodedoc[.]squarespace[.]com Distribution of ClickFix instructions
Domain domenpozh[.]net Distribution of ClickFix instructions
Domain macos-disk-space[.]medium[.]com Distribution of ClickFix instructions
Domain macclean[.]craft[.]me Distribution of ClickFix instructions
Domain apple-mac-fix-hidden[.]medium[.]com Distribution of ClickFix instructions
Domain rapidfilevault4[.]sbs Loader campaign payload delivery and C2
Domain coco-fun2[.]com Loader campaign payload delivery and C2
Domain nitlebuf[.]com Loader campaign payload delivery and C2
Domain yablochnisok[.]com Loader campaign payload delivery and C2
Domain mentaorb[.]com Loader campaign payload delivery and C2
Domain seagalnssteavens[.]com Loader campaign payload delivery and C2
Domain filefastdata[.]com Loader campaign payload delivery and C2
Domain metramon[.]com Loader campaign payload delivery and C2
Domain octopixeldate[.]com Loader campaign payload delivery and C2
Domain datasphere[.]us[.]com Loader campaign payload delivery and C2
Domain rapidfilevault5[.]sbs Loader campaign payload delivery and C2
Domain dialerformac[.]com Loader campaign payload delivery and C2
Domain swift-sh[.]com Loader campaign payload delivery and C2
Domain 0x666[.]info Script campaign C2 and exfiltration
Domain honestly[.]ink Script campaign C2 and exfiltration
Domain pla7ina[.]cfd Script campaign C2 and exfiltration
Domain play67[.]cc Script campaign C2 and exfiltration
IP Address 95.85.251[.]177 Script campaign payload delivery, C2, and exfiltration
URL hxxps://cauterizespray[.]icu/script[.]sh Script campaign payload delivery
URL hxxps://enslaveculprit[.]digital/script[.]sh Script campaign payload delivery
URL hxxps://resilientlimb[.]icu/script[.]sh Script campaign payload delivery
URL hxxps://t[.]me/ax03bot Script campaign fallback C2 Telegram bot
Domain rvdownloads[.]com Helper campaign payload delivery
Domain famiode[.]com Helper campaign payload delivery
Domain contatoplus[.]com Helper campaign payload delivery
Domain woupp[.]com Helper campaign payload delivery
Domain octopox[.]com Helper campaign payload delivery
URL hxxp://138.124.93[.]32/contact Helper campaign exfiltration endpoint
URL hxxp://168.100.9[.]122/contact Helper campaign exfiltration endpoint
URL hxxp://199.217.98[.]33/contact Helper campaign exfiltration endpoint
URL hxxp://38.244.158[.]103/contact Helper campaign exfiltration endpoint
URL hxxps://avipstudios[.]com/contact Helper campaign exfiltration endpoint
URL hxxps://joytion[.]com/contact Helper campaign exfiltration endpoint
URL hxxps://laislivon[.]com/contact Helper campaign exfiltration endpoint
Domain reachnv[.]com Update install variant delivery
Domain vagturk[.]com Update install variant delivery
Domain futampako[.]com Update install variant delivery
Domain joeyapple[.]com Update install variant delivery
IP Address 45.94.47[.]204 Bot communication IP address
Domain wusetail[.]com Hosting bot payload
Domain aforvm[.]com Hosting bot payload
Domain ouilov[.]com Hosting bot payload
Domain malext[.]com Hosting bot payload
Domain rebidy[.]com Hosting bot payload
SHA-256 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767 Payload hash
SHA-256 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae Payload hash
SHA-256 241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05 Payload hash
SHA-256 522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e Payload hash
File Path /tmp/helper Malware staging folder
File Path /tmp/starter Malware plist staging folder
File Path ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate Malicious file masquerading as Google Update
Plist Name ~/LaunchAgents/com.google.keystone.agent.plist Staged plist running malicious executable
Plist Name ~/Library/LaunchAgents/com.<random value>.plist Staged plist running malicious executable

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Massive DDoS Attack Evaded Rate Limits with 1.2M IPs

Next Post

Microsoft Teams Android SIP Bug Exposes Internal Meeting Details

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Notepad++ Vulnerabilities Enable PowerShell Command Injection
July 15, 2026
Fortinet Patches Critical, High Vulnerabilities in FortiOS, FortiProxy
July 14, 2026
Microsoft Patch Tuesday fixes 570 flaws including 3 zero-days
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us