ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault