216.73.217.22

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

· Published 06/05/2026 21:35 · Modified 08/05/2026 09:19

Export JSON

Essential information

Published
06/05/2026 21:35
Modified
08/05/2026 09:19
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
applescript clickfix infostealer macos phantompulse shub stealer
Tags
2026-05-06 applescript clickfix infostealer macos phantompulse shub stealer
Related entities
1 vulnerabilities (cve), 145 indicators, 145 observables, 20 techniques (mitre), 4 malware, 117 others

Description

Threat actors are leveraging -style social engineering tactics to distribute infostealers targeting users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for issues. When executed, these commands download infostealers including Macsync, , and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (1)

CVE-2026-31431 KEV
7.8 High

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 …

Attack vector
LOCAL
Complexity
LOW
EPSS
0.0001 (P0.6%)
Published
22/04/2026
Modified
23/05/2026

Indicators (145)

Observables (145)

  • fastfilenext.com
  • we2luck.com
  • milbiorb.com
  • rebidy.com
  • ptrei.com
  • rvdownloads.com
  • lakhov.com
  • mentaorb.com
  • medoviypirog.com
  • pilautfile.com
  • malkim.com
  • trehlub.com
  • haploadpin.com
  • boso6ka.com
  • ejecen.com
  • hello-brothers777.com
  • dialerformac.com
  • korovkamu.com
  • avafex.com
  • pewqpeee888.com
  • perewoisbb0.com
  • thickentributary.digital
  • pewweepor092.com
  • persaniusdimonica8.com
  • enslaveculprit.digital
  • metlafounder.com
  • miappl.com
  • raxelpak.com
  • molokotarelka.com
  • wusetail.com
  • mpasvw.com
  • peloetwq71.com
  • play67.cc
  • uk176video.live
  • wriconsult.com
  • cleanmymacos.org
  • hitkrul.com
  • do2wers.com
  • raytherrien.com
  • wewannaliveinpicede.com
  • honestly.ink
  • ouilov.com
  • pelorso90la.com
  • lbarticle.com
  • pla7ina.cfd
  • rapidfilevault4.sbs
  • reachnv.com
  • octopox.com
  • benefasts-fhgs2.com
  • nibelined.com
  • malext.com
  • famiode.com
  • jihiz.com
  • woupp.com
  • reews09weersus.com
  • paralegalmustang.icu
  • tmcnex.com
  • doqeers.com
  • res2erch-sl0ut.com
  • joeyapple.com
  • quantumdataserver5.homes
  • poeooeowwo777.com
  • cauterizespray.icu
  • kayeart.com
  • wewannaliveinpice.com
  • metrikcs.com
  • vagturk.com
  • filefastdata.com
  • dryvecar.com
  • joytion.com
  • terafolt.com
  • avipstudios.com
  • coco-fun2.com
  • arkypc.com
  • octopixeldate.com
  • seagalnssteavens.com
  • bankafolder.com
  • rapidfilevault5.sbs
  • rawmrk.com
  • swift-sh.com
  • kcbps.com
  • rhymbil.com
  • domenpozh.net
  • kofeynayagush.com
  • boosterjuices.com
  • resilientlimb.icu
  • beltoxer.com
  • repqoow77wiqi.com
  • metramon.com
  • mikulatur.com
  • yablochnisok.com
  • futampako.com
  • bintail.com
  • coco2-hram.com
  • bigbossbro777.com
  • saramoftah.com
  • aforvm.com
  • stinarosen.com
  • round5on.digital
  • res2erch-sl2ut.com
  • 0x666.info
  • vcopp.com
  • pipipoopochek6.com
  • biopranica.com
  • rapidfilevault4.cyou
  • laislivon.com
  • stclegion.com
  • contatoplus.com
  • xeebii.com
  • us41web.live
  • nitlebuf.com
  • isgilan.com
  • hilofet.com
  • yygp4pdh.apexharvestor.digital
  • kvrnjr30.apexharvestor.digital
  • qjywvkbl.degassing-mould.digital
  • zg5mkr7q.apexharvestor.digital
  • 92.246.136.14
  • 45.94.47.204
  • 38.244.158.103
  • 199.217.98.33
  • 95.85.251.177
  • 168.100.9.122
  • 138.124.93.32
  • 38.244.158.56
  • https://cauterizespray.icu/script.sh
  • https://yygp4pdh.apexharvestor.digital
  • https://resilientlimb.icu/script.sh
  • https://laislivon.com/contact
  • https://joytion.com/contact
  • http://lakhov.com/contact
  • https://enslaveculprit.digital/script.sh
  • https://thickentributary.digital/script.sh
  • https://round5on.digital/script.sh
  • https://mpasvw.com/contact
  • https://kvrnjr30.apexharvestor.digital
  • https://www.iru.com/blog/atomic-stealer-amos-returns
  • https://avipstudios.com/contact
  • https://qjywvkbl.degassing-mould.digital
  • http://paralegalmustang.icu/script.sh
  • https://zg5mkr7q.apexharvestor.digital
  • 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767
  • 522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e
  • 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae
  • 241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05

Techniques (MITRE) (20)

Malware (4)

  • PhantomPulse
    Family
    Published 06/05/2026 19:35 · Modified 06/05/2026 19:35
  • Macsync
    Family
    Published 06/05/2026 19:35 · Modified 06/05/2026 19:35
  • AMOS
    Family
    Published 18/05/2026 17:52 · Modified 18/05/2026 17:52
  • SHub Stealer
    Family
    Published 18/05/2026 17:52 · Modified 18/05/2026 17:52

Others (117)

  • dialerformac.com
  • do2wers.com
  • korovkamu.com
  • seagalnssteavens.com
  • ptrei.com
  • biopranica.com
  • bigbossbro777.com
  • famiode.com
  • boso6ka.com
  • isgilan.com
  • avafex.com
  • arkypc.com
  • nitlebuf.com
  • yygp4pdh.apexharvestor.digital
  • futampako.com
  • tmcnex.com
  • malext.com
  • wewannaliveinpicede.com
  • cauterizespray.icu
  • raxelpak.com
  • doqeers.com
  • repqoow77wiqi.com
  • ouilov.com
  • joytion.com
  • perewoisbb0.com
  • rvdownloads.com
  • medoviypirog.com
  • mentaorb.com
  • hitkrul.com
  • terafolt.com
  • vagturk.com
  • wewannaliveinpice.com
  • milbiorb.com
  • pewweepor092.com
  • contatoplus.com
  • kcbps.com
  • woupp.com
  • reachnv.com
  • trehlub.com
  • swift-sh.com
  • wusetail.com
  • joeyapple.com
  • fastfilenext.com
  • play67.cc
  • lbarticle.com
  • qjywvkbl.degassing-mould.digital
  • coco-fun2.com
  • thickentributary.digital
  • rapidfilevault4.cyou
  • pilautfile.com
  • nibelined.com
  • res2erch-sl0ut.com
  • kayeart.com
  • poeooeowwo777.com
  • malkim.com
  • kvrnjr30.apexharvestor.digital
  • dryvecar.com
  • jihiz.com
  • pelorso90la.com
  • 0x666.info
  • uk176video.live
  • round5on.digital
  • aforvm.com
  • rapidfilevault5.sbs
  • metramon.com
  • lakhov.com
  • zg5mkr7q.apexharvestor.digital
  • reews09weersus.com
  • haploadpin.com
  • molokotarelka.com
  • resilientlimb.icu
  • beltoxer.com
  • rapidfilevault4.sbs
  • kofeynayagush.com
  • ejecen.com
  • we2luck.com
  • pipipoopochek6.com
  • mikulatur.com
  • avipstudios.com
  • us41web.live
  • saramoftah.com
  • raytherrien.com
  • yablochnisok.com
  • filefastdata.com
  • miappl.com
  • honestly.ink
  • xeebii.com
  • stclegion.com
  • bintail.com
  • enslaveculprit.digital
  • octopixeldate.com
  • octopox.com
  • res2erch-sl2ut.com
  • hello-brothers777.com
  • laislivon.com
  • domenpozh.net
  • paralegalmustang.icu
  • rawmrk.com
  • vcopp.com
  • persaniusdimonica8.com
  • cleanmymacos.org
  • mpasvw.com
  • bankafolder.com
  • boosterjuices.com
  • coco2-hram.com
  • pla7ina.cfd
  • hilofet.com
  • peloetwq71.com
  • metlafounder.com
  • benefasts-fhgs2.com
  • wriconsult.com
  • rebidy.com
  • pewqpeee888.com
  • metrikcs.com
  • stinarosen.com
  • quantumdataserver5.homes
  • rhymbil.com

External references