TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Security Blog

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Microsoft Defender Security Research Team and Microsoft Defender Experts · 7 hours ago · Read original ↗

ATT&CK techniques detected

29 predictions
T1543.004Launch Daemon
96%
“- control capability to the attacker on the compromised system. creation of the execution wrapper (. agent ) in addition to the backdoor binary, the stealer creates a secondary file named. agent, also placed in the user ’ s home directory. unlike. mainhelper,. agent isn ’ t a ful…”
T1555.003Credentials from Web Browsers
96%
“wifi credentials. it also collects browser authentication material from chromium ‑ based browsers, including saved usernames and passwords, session cookies, autofill data, and browser profile state that can be reused for account takeover. in addition, the script targets cryptocur…”
T1059.002AppleScript
96%
“it then builds and sends a json object to an attacker ‑ controlled server containing an event name ( loader _ requested or cis _ blocked ) along with this telemetry. it also uses the presence of russian / cis keyboard layouts as a deliberate kill switch, reporting a cis _ blocked…”
T1204.001Malicious Link
88%
“clickfix campaign uses fake macos utilities lures to deliver infostealers microsoft researchers continue to observe the evolution of an infostealer campaign distributing clickfix ‑ style instructions and targeting macos users. in this recent iteration, threat actors attempt to ta…”
T1204.004Malicious Copy and Paste
87%
“clickfix campaign uses fake macos utilities lures to deliver infostealers microsoft researchers continue to observe the evolution of an infostealer campaign distributing clickfix ‑ style instructions and targeting macos users. in this recent iteration, threat actors attempt to ta…”
T1204.004Malicious Copy and Paste
84%
“intelligence community, check out the microsoft threat intelligence blog. to get notified about new publications and to join discussions on social media, follow us on linkedin, x ( formerly twitter ), and bluesky. to hear stories and insights from the microsoft threat intelligenc…”
T1059.002AppleScript
84%
“as hostname, operating system version, and external ip address. the c2 server can return base64 - encoded instructions, which the script decodes and executes locally and deletes traces, enabling remote command execution on demand. this process creates a persistent remote - contro…”
T1059.004Unix Shell
81%
“as hostname, operating system version, and external ip address. the c2 server can return base64 - encoded instructions, which the script decodes and executes locally and deletes traces, enabling remote command execution on demand. this process creates a persistent remote - contro…”
T1204.002Malicious File
73%
“downloader but a resilient, infrastructure ‑ aware loader designed to dynamically discover c2 endpoints, evade takedowns, and execute attacker ‑ controlled applescript logic on demand. we observed data exfiltration to the attacker ’ s infrastructure on a c2 / upload. php endpoint…”
T1555.003Credentials from Web Browsers
72%
“virtualization detection the infection chain begins with an applescript based stager that uses array subtraction obfuscation to conceal its strings and commands. this stager performs an anti - analysis gate by invoking system _ profiler and inspecting both memory and hardware pro…”
T1059.002AppleScript
69%
“##64 encoded script under a plist staged at ~ / library / launchagent / com. < random name >. plist. the persisted applescript is heavily obfuscated in its original form ( character id concatenation ). after decoding, the key logic follows : this applescript functions as a c2 dis…”
T1204.002Malicious File
67%
“##processevents | where processcommandline has _ all ( " / api / bot / heartbeat ", " post ", " curl " ) / / script campaign second stage execution deviceprocessevents | where processcommandline has _ all ( " curl ", " post ", " txid ", " osascript ", " bmodule ", " max - time " …”
T1204.004Malicious Copy and Paste
65%
“the threat discussed in this blog. customers with provisioned access can also use microsoft security copilot in microsoft defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence. threat intelligence repo…”
T1204.004Malicious Copy and Paste
63%
“have been reported. in other instances, content that included instructions leading to malware were observed to be hosted on craft, a note - taking platform that lets writers and content creators take notes and distribute their content. we ’ ve observed that pages like macclean [.…”
T1059.004Unix Shell
62%
“ids ), was used in data staging, marking the staging folders as / tmp / shub _ < random id > or / tmp / < random id >. the underlying goal remains the same in these campaigns : sensitive data collection, persistence, and exfiltration. the following table summarizes the key differ…”
T1685Disable or Modify Tools
58%
“microsoft defender antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. cloud - based machine learning protections block a majority of new and unknown threats. run edr in block mode so that microsoft defender for endpoint…”
T1074.001Local Data Staging
55%
“##time. data collection : tmp / shub _ < random id > staging we observed that the stealer self - identifies as “ shub stealer ” ( it writes the marker shub into its staging directory ). it prompts the target user to enter their password, pretending to install a “ helper ” utility…”
T1497.001System Checks
53%
“virtualization detection the infection chain begins with an applescript based stager that uses array subtraction obfuscation to conceal its strings and commands. this stager performs an anti - analysis gate by invoking system _ profiler and inspecting both memory and hardware pro…”
T1074Data Staged
51%
“##time. data collection : tmp / shub _ < random id > staging we observed that the stealer self - identifies as “ shub stealer ” ( it writes the marker shub into its staging directory ). it prompts the target user to enter their password, pretending to install a “ helper ” utility…”
T1543.004Launch Daemon
51%
“loading launchdaemon is configured to run / bin / bash with the path to ~ /. agent as its argument, rather than invoking the backdoor binary directly. as shown in figure 25, the script sets correct ownership, loads the daemon using launchctl, and enables both runatload and keepal…”
T1657Financial Theft
49%
“data collection is complete, data is compressed and exfiltrated. the stealer deletes staging artifacts to reduce forensic evidence. wallet exfiltration and trojanization subsequently, the stealer probes the system for the presence of any of the following cryptocurrency wallet app…”
T1543.001Launch Agent
45%
“loading launchdaemon is configured to run / bin / bash with the path to ~ /. agent as its argument, rather than invoking the backdoor binary directly. as shown in figure 25, the script sets correct ownership, loads the daemon using launchctl, and enables both runatload and keepal…”
T1543.001Launch Agent
42%
“- control capability to the attacker on the compromised system. creation of the execution wrapper (. agent ) in addition to the backdoor binary, the stealer creates a secondary file named. agent, also placed in the user ’ s home directory. unlike. mainhelper,. agent isn ’ t a ful…”
T1105Ingress Tool Transfer
37%
“from < c2 domain > / zxc / apptwo. zip backdoor deployment and persistence to maintain long ‑ term access to infected systems, the helper campaign deploys a multi ‑ stage persistence mechanism built around two cooperating components : a primary backdoor binary and a lightweight e…”
T1204.002Malicious File
37%
“data collection is complete, data is compressed and exfiltrated. the stealer deletes staging artifacts to reduce forensic evidence. wallet exfiltration and trojanization subsequently, the stealer probes the system for the presence of any of the following cryptocurrency wallet app…”
T1204.002Malicious File
35%
“trojanized cryptocurrency wallet applications pose a serious risk to their users who might be unaware of the stealthy compromise and continue to use and transact with them. persistence for persistence, the malware creates an additional script within the newly created ~ / library …”
T1071Application Layer Protocol
35%
“/ / loader campaign installation devicenetworkevents | where initiatingprocesscommandline has _ any ( " loader. sh? build = ", " payload. applescript? build = " ) / / helper campaign installation devicefileevents | where initiatingprocesscommandline has _ all ( " curl ", " / tmp …”
T1543.001Launch Agent
32%
“##64 encoded script under a plist staged at ~ / library / launchagent / com. < random name >. plist. the persisted applescript is heavily obfuscated in its original form ( character id concatenation ). after decoding, the key logic follows : this applescript functions as a c2 dis…”
T1204.004Malicious Copy and Paste
31%
“infrastructure persistence and bot execution payloads file indicators of attack references fake cleanmymac site installs shub stealer and backdoors crypto wallets. malwarebytes labs ( published 2026 - 03 - 06 ) malvertising campaign spreads amos ‘ malext ’ macos infostealer via f…”

Summary

Threat actors are targeting macOS users with fake utility fixes that trick them into running malicious Terminal commands. This campaign evades traditional defenses by stealing credentials, wallets, and sensitive data.

The post ClickFix campaign uses fake macOS utilities lures to deliver infostealers appeared first on Microsoft Security Blog.