New macOS ClickFix campaign steals passwords and installs remote access trojan in enterprises
> cd .. / HUB_EDITORIALE
News

New macOS ClickFix campaign steals passwords and installs remote access trojan in enterprises

[2026-07-18] Author: Ing. Calogero Bono
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

A sophisticated new malware campaign dubbed macOS ClickFix is putting enterprise devices at risk by exploiting social engineering to bypass Apple's native protections. According to a report by Netskope Threat Labs, attackers trick users into running seemingly harmless commands in the macOS Terminal, leading to the installation of an AppleScript-based information stealer and a persistent remote access trojan.

How the ClickFix attack works: social engineering and fake commands

The campaign relies on compromised or attacker-controlled websites that mimic legitimate services. Researchers found fake macOS optimization utility pages, fake GitHub repositories, and even localized IT support pages. These sites instruct victims to manually copy and paste a specific command into the macOS Terminal. When the user clicks the copy button, malicious JavaScript silently places the execution string onto the clipboard. Running this command in Terminal fetches a script that runs entirely in memory, leaving no traces on the local drive and easily evading standard malware scanners.

Sponsored Protocol

Password and data theft through fake dialog boxes

Once the secondary payload is active, the malware displays a fake System Preferences dialog box asking for the user's macOS login password to update settings. If the victim enters the password, the malware uses it to unlock the macOS keychain and begins extracting saved passwords, session cookies, and data from messaging apps. Furthermore, the malware targets 25 different desktop cryptocurrency wallets: it kills the legitimate app, overwrites the application bundle with a trojanized version, and forces an ad hoc code signature, restoring a structurally valid signature that lets the modified app launch without triggering Gatekeeper warnings.

Sponsored Protocol

Persistent remote access via disguised process

To maintain long-term access, the payload installs a background configuration file disguised as an Apple system process named com.apple.accountsd. This process polls the command-and-control server every minute, creating a constant beaconing loop that allows the attacker to execute arbitrary code on the infected Mac at any time. The campaign illustrates how far a purely scripted macOS payload can reach, without needing zero-day vulnerabilities or kernel exploits; attackers simply use the native macOS toolchain against the user.

Sponsored Protocol

How to protect enterprises: training and blocking Terminal

For IT departments, this threat highlights the critical need for continuous security training. Users must be taught never to paste unknown commands into Terminal, no matter how legitimate the website appears. Blocking access to Terminal on enterprise Macs may become the default for many roles. Additionally, adopting advanced security solutions like unified Apple device management platforms is essential. For more on data protection, read our article on how to remove personal data from the Internet. For further details on social engineering techniques, visit the Wikipedia page on social engineering.

Source: https://9to5mac.com/2026/07/18/macos-clickfix-campaign

> share
Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()