{
  "name": "macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections",
  "slug": "macos-clickfix-campaign-applescript-stealers-new-terminal-protections",
  "description": "A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. The malware employs a persistent, non-closable dialog box mimicking legitimate system prompts to force victims into providing their system password. Stolen session cookies enable attackers to bypass multi-factor authentication by hijacking active sessions. The campaign uses client-side JavaScript to filter victims by user-agent, directing desktop users to OS-specific payloads while ignoring mobile devices. Latest macOS updates include native terminal security warnings designed to alert users against pasting potentially malicious commands.",
  "published": "2026-04-21T00:05:08+00:00",
  "created_at": "2026-04-21T00:05:08+00:00",
  "modified_at": "2026-04-21T07:28:00+00:00",
  "created_at_opencti": "2026-04-21T00:05:08+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-21",
    "applescript",
    "browser data exfiltration",
    "clickfix",
    "credential harvesting",
    "cryptocurrency wallet theft",
    "infostealer",
    "macos",
    "session hijacking",
    "social engineering"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "172.94.9.250"
      },
      {
        "id": "",
        "name": "http://172.94.9.250/d/xxx10108"
      },
      {
        "id": "",
        "name": "https://bull-run.fun/"
      },
      {
        "id": "",
        "name": "https://spot-wave.fun/"
      },
      {
        "id": "",
        "name": "77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5"
      },
      {
        "id": "",
        "name": "c07a15640065580e3bbff86eb567050e1a9e9847e2034ff00953ce7eeb2eec41"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "46ecf5ab-5539-4a8a-aa5b-c180d0ae5a67",
        "name": "T1059.002"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "1584b551-72fb-4f60-ba7a-bdac106e6f9b",
        "name": "T1560.001"
      },
      {
        "id": "759720f6-8f0f-4017-ab21-7ac30d0bf46f",
        "name": "T1555.001"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "1c9d3b0c-7ba8-40bc-be57-2c8e2495861d",
        "name": "T1204.003"
      },
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "e1b18ecf-d74e-4fe6-9bd4-ca6a62e7d818",
        "name": "T1027.002"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "bull-run.fun"
      },
      {
        "id": "",
        "name": "spot-wave.fun"
      },
      {
        "id": "",
        "name": "gen.detect.by.nscloudsandbox.tr"
      }
    ]
  },
  "external_refs": [
    "https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections",
    "https://otx.alienvault.com/pulse/69e6db546f646b9818b7bf0d"
  ]
}