ClickFix campaign delivers macOS infostealer via DMG
A new macOS ClickFix campaign employs fake CAPTCHA pages to deceive users into executing malicious Terminal commands. The attack chain downloads and invisibly mounts a DMG file containing a self-signed information-stealer application bundle. This payload, assessed as belonging to the AMOS (Atomic macOS Stealer) lineage—specifically the Odyssey variant—prompts users for passwords through fake System Preferences dialogs. The stealer harvests extensive data including browser credentials, cryptocurrency wallet information from 13 standalone applications and 201 browser extensions, messaging app data, Apple Notes, Safari cookies, and macOS keychain entries. Exfiltrated data is compressed and sent to two command-and-control servers. The malware establishes persistence via LaunchAgent and trojanizes legitimate cryptocurrency applications including Ledger Live and Trezor Suite, replacing them with compromised versions downloaded from attacker infrastructure.
AI Analysis
Technical Summary
This threat involves a macOS-targeted malware campaign named ClickFix that uses social engineering via fake CAPTCHA pages to convince users to execute malicious commands. The commands download and mount a DMG containing a self-signed infostealer application identified as part of the AMOS (Atomic macOS Stealer) lineage, Odyssey variant. The malware harvests extensive sensitive information including browser credentials, cryptocurrency wallet data from 13 standalone apps and 201 browser extensions, messaging app data, Apple Notes, Safari cookies, and macOS keychain entries. It exfiltrates compressed data to two command-and-control servers. The malware establishes persistence through LaunchAgent and compromises legitimate cryptocurrency applications by replacing them with trojanized versions fetched from attacker infrastructure. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The malware compromises user credentials, cryptocurrency wallets, messaging data, and other sensitive information on macOS systems. It can deceive users into providing passwords and maintains persistence by trojanizing legitimate cryptocurrency applications, potentially leading to significant data theft and financial loss. The campaign targets a broad range of sensitive data sources, increasing the risk of identity theft, financial fraud, and privacy violations.
Mitigation Recommendations
No official patch or remediation is available as this is a malware campaign relying on social engineering and user interaction. Mitigation focuses on user education to avoid executing untrusted Terminal commands and downloading software from unverified sources. Monitoring for suspicious LaunchAgent entries and verifying the integrity of cryptocurrency applications like Ledger Live and Trezor Suite is recommended. Users should only download software from official vendor sources and be cautious of unexpected password prompts. Since the malware uses self-signed applications and trojanizes legitimate apps, endpoint protection solutions with behavioral detection may help identify and block this threat.
Indicators of Compromise
- ip: 178.16.52.101
- ip: 196.251.107.171
- domain: fewfwfwfwfwf.info
- domain: svs-verificationdate.beer
- hash: 25b6fc4f9c54a28ba7bfc4dfeafb62c99b59ea6f0d17679219b876b321965095
- hash: 067ad6221b2224d5cdb64e51c5516132d820cf4d7edf9ec170643943e79c04b7
- hash: d6f479736ba55d3c4e895c4940d035cf772f3192fb8dc496f09a801aed16d970
- hash: 833008c03d40422192051584d829d730497108bef31751cceb0cc043dd96bbfb
- hash: 8111edf01ac6cb5c77e249d4e84fd92a85b5e89c2e2bef92fbe00b6f1cc2aa8e
- hash: f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670
ClickFix campaign delivers macOS infostealer via DMG
Description
A new macOS ClickFix campaign employs fake CAPTCHA pages to deceive users into executing malicious Terminal commands. The attack chain downloads and invisibly mounts a DMG file containing a self-signed information-stealer application bundle. This payload, assessed as belonging to the AMOS (Atomic macOS Stealer) lineage—specifically the Odyssey variant—prompts users for passwords through fake System Preferences dialogs. The stealer harvests extensive data including browser credentials, cryptocurrency wallet information from 13 standalone applications and 201 browser extensions, messaging app data, Apple Notes, Safari cookies, and macOS keychain entries. Exfiltrated data is compressed and sent to two command-and-control servers. The malware establishes persistence via LaunchAgent and trojanizes legitimate cryptocurrency applications including Ledger Live and Trezor Suite, replacing them with compromised versions downloaded from attacker infrastructure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a macOS-targeted malware campaign named ClickFix that uses social engineering via fake CAPTCHA pages to convince users to execute malicious commands. The commands download and mount a DMG containing a self-signed infostealer application identified as part of the AMOS (Atomic macOS Stealer) lineage, Odyssey variant. The malware harvests extensive sensitive information including browser credentials, cryptocurrency wallet data from 13 standalone apps and 201 browser extensions, messaging app data, Apple Notes, Safari cookies, and macOS keychain entries. It exfiltrates compressed data to two command-and-control servers. The malware establishes persistence through LaunchAgent and compromises legitimate cryptocurrency applications by replacing them with trojanized versions fetched from attacker infrastructure. No CVE or patch information is available, and no known exploits in the wild have been reported.
Potential Impact
The malware compromises user credentials, cryptocurrency wallets, messaging data, and other sensitive information on macOS systems. It can deceive users into providing passwords and maintains persistence by trojanizing legitimate cryptocurrency applications, potentially leading to significant data theft and financial loss. The campaign targets a broad range of sensitive data sources, increasing the risk of identity theft, financial fraud, and privacy violations.
Mitigation Recommendations
No official patch or remediation is available as this is a malware campaign relying on social engineering and user interaction. Mitigation focuses on user education to avoid executing untrusted Terminal commands and downloading software from unverified sources. Monitoring for suspicious LaunchAgent entries and verifying the integrity of cryptocurrency applications like Ledger Live and Trezor Suite is recommended. Users should only download software from official vendor sources and be cautious of unexpected password prompts. Since the malware uses self-signed applications and trojanizes legitimate apps, endpoint protection solutions with behavioral detection may help identify and block this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://x.com/Unit42_Intel/status/2069321645924159505","https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt"]
- Adversary
- null
- Pulse Id
- 6a3d42cc11f8fec9a3aab237
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip178.16.52.101 | — | |
ip196.251.107.171 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainfewfwfwfwfwf.info | — | |
domainsvs-verificationdate.beer | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash25b6fc4f9c54a28ba7bfc4dfeafb62c99b59ea6f0d17679219b876b321965095 | — | |
hash067ad6221b2224d5cdb64e51c5516132d820cf4d7edf9ec170643943e79c04b7 | — | |
hashd6f479736ba55d3c4e895c4940d035cf772f3192fb8dc496f09a801aed16d970 | — | |
hash833008c03d40422192051584d829d730497108bef31751cceb0cc043dd96bbfb | — | |
hash8111edf01ac6cb5c77e249d4e84fd92a85b5e89c2e2bef92fbe00b6f1cc2aa8e | — | |
hashf0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670 | — |
Threat ID: 6a3d46404853345fc11c396f
Added to database: 06/25/2026, 15:16:16 UTC
Last enriched: 06/25/2026, 15:31:18 UTC
Last updated: 06/25/2026, 22:56:09 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.