Best crypto insights delivered straight to your inbox.
- Attackers are posting fake macOS troubleshooting guides to trick users into running malicious Terminal commands that steal crypto.
- The campaign has been active since late 2025 and bypasses Gatekeeper because victims execute the malicious commands themselves.
- Apple added a protection in macOS 26.4 that blocks pasting commands flagged as potentially malicious into Terminal.
Attackers are posting fake macOS troubleshooting guides on Medium, Craft, and Squarespace. The goal is to make users run Terminal commands that install malware targeting iCloud data, saved passwords, and crypto wallets.
Microsoft’s Defender Security Research Team published the findings. The campaign has been running since late 2025. It preys on Mac users searching for help with common problems like freeing up disk space or fixing system errors.
Instead of offering a legit fix, the pages tell users to copy a command and paste it into Terminal. That command pulls down and runs malware.
The misleading blog posts tell readers to copy a malicious command and paste it into Terminal. This command downloads malware and runs it on the victim’s computer.
The technique is called ClickFix. It’s social engineering that changes responsibility for launching the payload onto the victim. Because the user runs the command directly in Terminal, macOS Gatekeeper never inspects the payload.
Gatekeeper normally checks code signing and notarization on app bundles opened through Finder, but this method sidesteps it entirely.
Attackers launched three campaigns with the same goal
Microsoft spotted three campaign installers:
- A loader.
- A script.
- A helper.
All three harvest sensitive data, establish persistence, and exfiltrate stolen information to the attacker’s servers.
The malware families include AMOS, Macsync, and SHub Stealer. If any one of the three malware was installed, it goes after iCloud and Telegram account data. Then it looks for private documents and photos under 2 MB. And it extracts crypto wallet keys from Exodus, Ledger, and Trezor, and steals saved usernames and passwords from Chrome and Firefox.
After installation, the malware throws up a fake dialog and asks for a system password to install a “helper tool.” If the user enters the password, the attacker gets full access to files and system settings.
In some cases, researchers found that attackers deleted legitimate crypto wallet apps and replaced them with trojanized versions designed to monitor transactions and steal funds.
Trezor Suite, Ledger Wallet, and Exodus were some of the main apps targeted in this attack.
The loader campaign also includes a kill switch. The malware stops executing if it detects a Russian keyboard layout.
Security researchers observed attackers using curl, osascript, and other native macOS utilities to run payloads directly in memory. This is a fileless approach that makes detection harder for standard antivirus tools.
Attackers go after crypto developers
Security researchers from ANY[.]RUN discovered a Lazarus Group operation called “Mach-O Man.” Hackers used the same ClickFix technique through fake meeting invitations. They went after fintech and crypto machines where macOS is common.
Cryptopolitan published about the PromptMink campaign.
A malicious npm package was put into a crypto trading project by the North Korean group Famous Chollima through an AI-generated change. Using a two-layer package approach, the malware got access to wallet data and system secrets.
Both campaigns show that crypto wallet data is valuable. Attackers are adapting their delivery methods from fake blog posts to AI-assisted supply chain compromises to reach it.
There’s a middle ground between leaving money in the bank and rolling the dice in crypto. Start with this free video on decentralized finance.
FAQs
What is ClickFix and how does it work on macOS?
ClickFix is a social engineering attack that tricks users into copying and pasting a command into Terminal, which downloads and executes malware.
Which crypto wallets are targeted by this malware campaign?
Exodus, Ledger, and Trezor as the primary targets. In some cases, attackers uninstalled genuine wallets and replaced them with trojanized apps.
Has Apple released a fix for the ClickFix Terminal attack?
Apple added a protection in macOS 26.4 that blocks pasting commands flagged as potentially malicious into Terminal. It displays a warning that reads "Possible malware, Paste blocked."
Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.
CRASH COURSE
- Which cryptocurrencies can make you money
- How to boost your security with a wallet (and which ones are actually worth using)
- Little-known investment strategies that the pros use
- How to get started investing in crypto (which exchanges to use, the best crypto to buy etc)