The Clickfix campaign is a sophisticated phishing attack targeting macOS users by leveraging social engineering to trick victims into executing malicious terminal commands. These commands run AppleScript code designed to steal sensitive data such as browser profiles, cryptocurrency wallets, and personal files. The attackers employ deceptive tactics including fake security prompts and CAPTCHA pages hosted on domains mimicking legitimate cryptocurrency news sites (e.g., cryptoinfo-news.com) to increase credibility and lure victims into executing the malicious commands. Once executed, the AppleScript stealer collects valuable information and exfiltrates it to a distributed command and control (C2) infrastructure. This infrastructure spans multiple regions, with a notable presence of C2 servers hosted in Russia, operating on unusual ports to evade detection. The campaign is financially motivated, targeting cryptocurrency assets and personal data for monetization. Over 50 related servers with similar configurations have been identified, indicating a large-scale, globally distributed operation. The attack chain involves multiple MITRE ATT&CK techniques such as T1560.001 (Archive Collected Data), T1074.001 (Data Staged), T1059.002 (AppleScript), T1005 (Data from Local System), T1555 (Credentials from Password Stores), T1219 (Remote Access Software), T1020 (Automated Exfiltration), T1102.003 (Web Service), T1048 (Exfiltration Over Alternative Protocol), T1056.002 (Input Capture), T1027 (Obfuscated Files or Information), T1102.002 (Web Protocols), T1070.004 (Indicator Removal on Host), T1071.001 (Application Layer Protocol), and T1105 (Ingress Tool Transfer). The absence of known exploits in the wild suggests this is a targeted phishing campaign rather than an automated exploit. The use of terminal commands and AppleScript on macOS highlights the attackers’ focus on exploiting user trust and macOS-specific scripting capabilities rather than software vulnerabilities.

For European organizations, the Clickfix campaign poses a significant risk especially to employees and executives who use macOS devices and handle sensitive information, including cryptocurrency assets. The theft of browser profiles can lead to further compromise through session hijacking or credential theft, while the exfiltration of crypto wallets directly threatens financial assets. Personal files and credentials stolen can result in identity theft, corporate espionage, and unauthorized access to internal systems. The campaign’s use of phishing and social engineering means that even well-secured networks can be compromised if users are tricked into running malicious commands. The presence of C2 infrastructure in Russia may complicate attribution and response efforts. Organizations in Europe with remote or hybrid workforces using macOS are particularly vulnerable, as attackers exploit the trust users place in terminal commands and security prompts. The campaign’s medium severity rating reflects the targeted nature and reliance on user interaction, but the potential financial and data loss impact is considerable. Additionally, the use of unusual ports and obfuscation techniques may evade traditional network defenses, increasing the risk of prolonged undetected data exfiltration.

European organizations should implement targeted mitigations beyond generic advice: 1) Conduct focused user awareness training emphasizing the risks of executing unsolicited terminal commands and recognizing phishing tactics involving fake security prompts and CAPTCHA pages. 2) Deploy endpoint detection and response (EDR) solutions with macOS-specific capabilities to monitor for suspicious AppleScript execution and unusual terminal command activity. 3) Implement application control policies restricting the execution of unsigned or untrusted AppleScripts and terminal commands, especially those initiated from browsers or email clients. 4) Monitor network traffic for connections to known malicious IPs and domains associated with the campaign, including those listed in the indicators, and block or alert on unusual port usage. 5) Enforce multi-factor authentication (MFA) on all critical systems and crypto wallets to reduce the impact of stolen credentials. 6) Regularly audit and secure browser profiles and crypto wallet storage locations, applying encryption and access controls. 7) Establish incident response playbooks specifically for macOS phishing and data exfiltration scenarios, including rapid isolation of infected devices. 8) Collaborate with threat intelligence providers to stay updated on evolving infrastructure and indicators related to this campaign.