Microsoft published a detailed report on May 6, 2026, on the evolution of ClickFix campaigns targeting macOS: operators abandoned delivery via DMG files requiring manual installation in favor of Terminal instructions — osascript and shell interpreters — that bypass Gatekeeper checks directly. The stakes are theft of iCloud data, Keychain secrets, and cryptocurrency wallet keys, with legitimate apps replaced by trojanized versions. The change in method renders the traditional "don't install unverified apps" warning ineffective: users are induced to execute malicious code with their own hands, believing they are solving a technical problem.
- Since February 2026, Microsoft has observed three distinct campaigns on macOS — Loader, Script, and Helper — each with differentiated staging and persistence techniques.
- Documented payloads are the Macsync, Shub Stealer, and AMOS infostealers, with exfiltration targets including iCloud data, Keychain, and cryptocurrency wallet keys.
- The new Terminal delivery exploits the fact that scripts executed directly via osascript or shell are not subject to the same code-signing and notarization checks applied to app bundles opened from Finder.
- Shub Stealer implements a kill switch based on Russian/CIS keyboard layouts and harvests the user's password via a fake utility-install prompt, validating it with the
dscl . -authonlycommand before exfiltration.
From Manual DMGs to Copy-Paste Commands: The Evolution of the Delivery Chain
Previous iterations of the ClickFix campaign on macOS, as documented by Microsoft, used DMG disk images that users had to download, mount, and install manually. That method, while effective, left wide windows for interruption: Gatekeeper warned of missing signatures, and users had to explicitly override protections.
The variant observed from February 2026 flipped the logic. The attack now poses as a fix for common problems — low disk space, system errors, supposed software conflicts — posted on troubleshooting blogs or forums. Users find step-by-step instructions ending with a Terminal command to copy and paste. Microsoft documents three distinct campaigns: Loader campaign, Script campaign, and Helper campaign, each with variations in the staging mechanism and final payload.
The danger is structural: when a user runs a script themselves, there is no bundle to sign or notarize for Gatekeeper to block. Gatekeeper verifies app bundles opened via Finder, not commands typed in Terminal.
"Unlike application bundles opened through Finder—which might be subjected to Gatekeeper verification checks such as code signing and notarization—scripts downloaded and launched directly through Terminal (for example, by using osascript or shell interpreters) don't undergo the same evaluation" — Microsoft Security Blog
Shub Stealer's Mechanism: Fake Prompt, dscl Validation, and Exfiltration
Shub Stealer is the most elaborate payload documented in the Microsoft report. The loader masquerades as a helper utility installation, requesting the user's password in a counterfeit system dialog. The credential is not merely collected: it is validated via the dscl . -authonly <username> command, which verifies authenticity against the local macOS account database.
After validation, the loader notifies the C2 server with a password_obtained event. The FileGrabber component collects documents up to 2 MB, excluding system and application files to focus on user data. The kill switch based on Russian/CIS keyboard layouts allows the malware to exclude machines in that region, likely to avoid jurisdictional blowback or to optimize targeting.
Persistence is achieved via LaunchAgents placed in system directories and disguised as legitimate components: Microsoft explicitly cites the name com.google.keystone.agent.plist, which mimics the Google Software Update agent. The agent activates at regular intervals, maintaining communication with the C2 infrastructure.
Wallet App Replacement: When the Trojan Is Indistinguishable
One of the most severe consequences documented is the replacement of legitimate cryptocurrency wallet applications with trojanized versions. Microsoft identifies three specific targets: Trezor Suite, Ledger Wallet, and Exodus. The mechanism is not a simple overwrite: the original apps are replaced with ZIP packages downloaded from the C2 server — app.zip for Ledger, apptwo.zip for Trezor, appex.zip for Exodus — that replicate the interface but intercept operations and credentials.
The user who launches what they believe is their legitimate wallet app is actually running code controlled by the campaign operators. Theft is not limited to wallet keys: browsing data, cookies, and authenticated sessions collected by the infostealers expand the compromise surface. Microsoft underscores that "the underlying goal remains the same in these campaigns: sensitive data collection, persistence, and exfiltration."
What to Do Now
The Microsoft report of May 6, 2026, indicates that traditional security policies — focused on blocking unverified apps — do not catch this vector. Specific actions derivable from the dossier are as follows:
Monitor for suspicious LaunchAgents. Microsoft cites com.google.keystone.agent.plist as a masked persistence name. Check for this file in ~/Library/LaunchAgents or /Library/LaunchAgents if not associated with a legitimate Google Software Update installation. Compare the plist's path and signature with those of the authentic agent.
Inspect wallet apps before use. If you use Trezor Suite, Ledger Wallet, or Exodus, verify the application has not been replaced by a ZIP archive downloaded from external servers. The report documents that trojanized versions arrive as app.zip, apptwo.zip, or appex.zip from C2 infrastructure.
Block execution of Terminal scripts from untrusted sources. The primary vector is social engineering that induces users to copy osascript or shell commands from web pages. Train users never to paste code into Terminal without independently verifying the purpose of every command.
Detect the password_obtained event. The report describes that Shub Stealer validates the password with dscl . -authonly and signals success to the C2. Monitoring for anomalous dscl executions associated with non-system processes can indicate ongoing credential-harvesting attempts.
Frequently Asked Questions
Shouldn't Gatekeeper block malicious executables even from Terminal?
No. According to the Microsoft report, Gatekeeper applies code-signing and notarization checks to app bundles opened via Finder, not to scripts executed directly via shell interpreters or osascript in Terminal. This is documented OS behavior, not an exploitable vulnerability.
Are the replaced wallet apps identifiable by the user?
Microsoft documents that the trojanized apps replicate the interface of legitimate versions and are distributed with filenames mimicking the originals. The source does not specify whether visible differences or digital signature discrepancies exist that a user could detect manually.
How exactly does Shub Stealer's kill switch work?
The loader checks the system's keyboard layout: if it detects Russian or Commonwealth of Independent States (CIS) configurations, it halts execution. Microsoft does not document whether this behavior aims to exclude specific jurisdictions from targeting or to avoid accidental activation in areas of operational interest to the developers.
Information is based on the cited source and current as of publication.
Sources
- https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
- https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Vulnerability