Clickfix Malware is now targeting Mac users with fake captcha tricks

Clickfix continues to develop a social engineering strategy that has been targeting both Windows and Mac users since the beginning of 2024.

Last month, I told how the attackers were using fake captcha signs Trick Windows users in installing malware yourself,

Now, the same trick is being replaced against Macos. Cyber ​​security researchers have highlighted a new campaign using a clickfix to distribute a powerful information-dictator MACOS Steeler (AMOS) that targets Apple Systems.

Spot fake online store, avoid Facebook membership scam

What is clickfix malware, and how does it work?

Safety researcher Cloudsac MACOS has identified a new threat targeting users through duplication and deception. The campaign uses technology known as clickfix to woo the victims through fake online verification signals. This time, the attackers are deteriorating the spectrum, a major telecom provider in the United States. They use fraudulent domains that meet the actual support portals of the spectrum. These include misleading addresses like panel spectrum net and spectrum ticket net.

Visitors of these sites have been shown a standard looking captcha box, asking them to verify their identity. When they do, the site displays a fake error message that says captcha failed. Users are encouraged to click on a button with “alternative verification” labels. This triggers a command to quietly copy on their clipboard. What happens next depends on the user’s operating system. On macosThe instructions guide the user to paste and run the command in the terminal. This command is actually a shell script designed to steal information and download malware.

The script is particularly dangerous as it uses a valid Macos system command. This system asks for password, harvest credentials and disables security safetyIt then downloads Amos. It is a known information that steals the history of targeting apple devices. The malware collects sensitive data such as password, cryptocurrency wallet key, browser autofil data and saved cookies.

Researchers believe that the campaign was created by Russian speaking attackers. The clues include comments written in Russian found within the code of malware. Analysts also said that delivery infrastructure was poorly assembled. Mismatched instructions appeared in equipment. For example, Linux users were shown Windows commands. Mac users were asked to suppress the keys that are present only on Windows machines.

Sign up for my free cyber report
Distribute my best technical tips, immediate safety alerts, and exclusive deals directly into your inbox. In addition, you will get immediate access to the survival guide of my final scam – free of charge when you join.

External hackers who are out to steal your identity

Why Clickfix attacks are so effective

Clickfix is ​​a social engineering method that has gained rapid popularity Between cyber criminalIt trusts users who trust what they see and follow simple instructions. In this campaign, the attacker aims to execute the infection process itself to the victim. Once the user follows through the user, the system is compromised without the need for a traditional exploitation.

Researchers believe that the clickfix is ​​at least active from March 2024. I first reported it in June 2024 Attackers used fake error messages To pursue your payload from Google Chrome, Microsoft Word and Onedrive. The victims were shown to offer the “fix” indications, which copied a malicious powerrashel command to their clipboard. They were then instructed to run it in Powershell or through a run dialogue.

By November 2024, the method was further developed. A New waves of attacks meet Google. Users meetStart with fishing email that mimics an internal meeting. These emails had links that rednominated fake meat meat landing pages, designed to see that they came from the victim’s own organization.

Malware exposes 3.9 billion passwords in huge cyber security threat

6 ways to protect yourself from clickfix and similar malware

Clickfix Malware to protect themselves from the danger that continues to target users through sophisticated social engineering strategy, consider implementing these six essential security measures:

1. Captcha signs doubt: Valid captcha tests never require you to paste anything in the terminal. If a website instructs you to do so, it is a scam. Close the page immediately and avoid interacting with it.

2. Do not click on the link from rejected email and use strong antivirus software: Many clickfix attacks also begin with fishing emails that apply reliable services such as Booking.com or Google Meat. Always verify the sender before clicking on the link. If an email seems necessary or unexpected, go directly to the company’s official website instead of clicking on any link inside the email.

The best way to protect yourself from malicious links that installs malware, potentially reaches your personal information, is a strong antivirus software installed on all your devices. This security can also make you alert for email and ransomware scams, keeping your personal information and digital assets safe. Get my pics for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices,

3. Enable two-factor authentication: Able Two-factor authentication whenever possible. It adds an additional layer of safety by the need for a second form of verification, such as codes sent to your phone, in addition to your password.

Get Fox Business when you click here

4. Keep the equipment updated: regularly Update your operating system, browser and security software Ensures that you have the latest patches against the known weaknesses. Cyber ​​criminals exploit chronic systems, so it is a simple but effective way to enable automatic updates.

5. Monitor your accounts for suspicious activity and change your password: If you have interacted with a suspected website, fishing email, or fake login page, check your online accounts for any abnormal activity. Look for unexpected login efforts, unauthorized password reset, or financial transactions that you do not recognize. If anything closes, change your password immediately and report the activity to the respective service provider. Also, consider using one Password manager To generate and store complex passwords. Find out more about me Best expert-reviewed password manager of 2025 here.

6. Invest in personal data removal service: Consider using a service that monitors your personal information and alerts you for potential violations or unauthorized use of your data. These services may provide an initial warning indication of identity theft or other malicious activities as a result of clickfix or similar attacks. While no service promises to remove all your data from the Internet, if you want to continuously monitor and automate the process of removing your information from hundreds of sites continuously over a long period, a removal service is very good. See my top pics for data removal services here.

get Free scan To find out if your personal information is already on the web

Large -scale safety defects put the most popular browser at risk on Mac

Kurt’s key to Techway

Even experienced users can be deceived when malicious behavior is regularly disguised. The attack did not take advantage of only one vulnerability in MacoS, but also your familiarity with verification flow. As long as the safety instructions look like part of normal experience, people themselves will continue to run malicious code. The Mac user, like everyone, needs to treat every familiar looking interface with a little more doubt. Especially when it asks for your password.

Click here to get Fox News app

Do you think tech companies are doing enough to stop malware like clicks? Write us and tell us Cyberguy.com/Contact,

For my tech tips and security alert, subscribe to my free cybergui report newsletter Cyberguy.com/newsletter

Ask Kurt a question or tell us which stories you want to cover us.

Follow the kurt on your social channels

Answers to the most asked cybergui questions:

New from Kurt:

Copyright 2025 cyberguy.com. All rights reserved.