MACOS CLICKFIX ATTACK SILENTLY DEPLOYS INFOSTEALER

Security researchers have identified a new variant of the ClickFix malware campaign targeting macOS users. The attack uses Terminal commands to silently orchestrate a multi-stage infection chain that downloads and mounts malicious DMG (disk image) files without user intervention. The campaign automates three critical steps: downloading the infected disk image, mounting it to the system, and launching the info-stealing payload. By operating through command-line interfaces, the attack evades traditional graphical security warnings that users typically rely on to identify threats. ClickFix represents a broader class of attacks that trick users into executing malicious commands, often through fake browser notifications or support scams claiming system vulnerabilities. This macOS variant refines the approach by minimizing visible activity after the initial user interaction, making detection significantly harder. Once executed, the infostealer component can harvest sensitive data including credentials, browsing history, and personal information. The use of DMG files—a standard macOS distribution format—provides additional legitimacy that can fool both users and security systems. The attack demonstrates how macOS threats are evolving beyond traditional malware delivery methods. While macOS has historically suffered fewer infections than Windows, the platform increasingly attracts sophisticated attackers seeking access to high-value targets. Users should exercise caution with unexpected browser notifications claiming system problems or requiring immediate action. Legitimate Apple and system notifications rarely prompt command execution. Keeping macOS updated, using endpoint protection, and reviewing running processes regularly can help identify suspicious activity. Security teams should monitor for unusual Terminal activity and unexpected DMG mount operations as indicators of ClickFix infection attempts.