HeadlinesBriefing favicon HeadlinesBriefing.com

New macOS ClickFix Malware Targets Enterprise Fleets

9to5Mac •
×

A new report from Netskope Threat Labs details a sophisticated macOS ClickFix campaign that uses social engineering to deploy an AppleScript-based information stealer and persistent remote access trojan. Attackers direct users to fake websites mimicking legitimate services — including macOS optimization utilities, GitHub repos, and localized IT support pages — where malicious JavaScript silently places a command on the clipboard. When pasted into Terminal, the command executes a fileless, in-memory script that evades standard malware scans.

The payload then displays a fake System Preferences dialog requesting the user's macOS login password. Once entered, the malware unlocks the keychain to extract saved passwords, session cookies, and messaging app data. It also targets 25 desktop crypto wallets, killing the legitimate app, overwriting the bundle with a trojanized version, and forcing an ad hoc code signature to bypass Gatekeeper.

For persistence, the malware installs a background configuration file disguised as com.apple.accountsd, polling a command-and-control server every minute to maintain a beaconing loop and enable remote code execution. Bradley Chambers, author of the Apple @ Work column, emphasizes that this campaign demonstrates how far a purely scripted payload can reach without zero-day exploits.

9to5Mac's take highlights the critical need for continuous security training: users must never paste unknown commands into Terminal. Blocking Terminal access on enterprise Macs may become a default policy for many roles. The column is sponsored by Mosyle, trusted by 45,000 organizations to manage and protect Apple devices at work.