ClickFix malware campaign targets Mac users searching for help

Attackers are posting fake macOS troubleshooting guides on Medium, Craft, and Squarespace. The goal is to make users run Terminal commands that install malware targeting iCloud data, saved passwords, and crypto wallets.

Microsoft’s Defender Security Research Team published the findings. The campaign has been running since late 2025. It preys on Mac users searching for help with common problems like freeing up disk space or fixing system errors.

Instead of offering a legit fix, the pages tell users to copy a command and paste it into Terminal. That command pulls down and runs malware.

The misleading blog posts tell readers to copy a malicious command and paste it into Terminal. This command downloads malware and runs it on the victim’s computer.

The technique is called ClickFix. It’s social engineering that changes responsibility for launching the payload onto the victim. Because the user runs the command directly in Terminal, macOS Gatekeeper never inspects the payload.

Gatekeeper normally checks code signing and notarization on app bundles opened through Finder, but this method sidesteps it entirely.

Attackers launched three campaigns with the same goal

Microsoft spotted three campaign installers:

1. A loader.
2. A script.
3. A helper.

All three harvest sensitive data, establish persistence, and exfiltrate stolen information to the attacker’s servers.

The malware families include AMOS, Macsync, and SHub Stealer. If any one of the three malware was installed, it goes after iCloud and Telegram account data. Then it looks for private documents and photos under 2 MB. And it extracts crypto wallet keys from Exodus, Ledger, and Trezor, and steals saved usernames and passwords from Chrome and Firefox.

After installation, the malware throws up a fake dialog and asks for a system password to install a “helper tool.” If the user enters the password, the attacker gets full access to files and system settings.

In some cases, researchers found that attackers deleted legitimate crypto wallet apps and replaced them with trojanized versions designed to monitor transactions and steal funds.

Trezor Suite, Ledger Wallet, and Exodus were some of the main apps targeted in this attack.

The loader campaign also includes a kill switch. The malware stops executing if it detects a Russian keyboard layout.

Security researchers observed attackers using curl, osascript, and other native macOS utilities to run payloads directly in memory. This is a fileless approach that makes detection harder for standard antivirus tools.

Attackers go after crypto developers

Security researchers from ANY[.]RUN discovered a Lazarus Group operation called “Mach-O Man.” Hackers used the same ClickFix technique through fake meeting invitations. They went after fintech and crypto machines where macOS is common.

Cryptopolitan published about the PromptMink campaign.

A malicious npm package was put into a crypto trading project by the North Korean group Famous Chollima through an AI-generated change. Using a two-layer package approach, the malware got access to wallet data and system secrets.

Both campaigns show that crypto wallet data is valuable. Attackers are adapting their delivery methods from fake blog posts to AI-assisted supply chain compromises to reach it.

If you're reading this, you’re already ahead. Stay there with our newsletter.