Clickfix on macOS AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

Key Takeaways
Clickfix abuses trust: The campaign bypasses malware downloads by using fake security prompts to trick users into running terminal commands.
AppleScript payloads steal user data: The script targets browser profiles, crypto wallets, documents, and system files, then uploads them to attacker-controlled servers.
Phishing domains are visually convincing: Pages like cryptoinfo-news.com mimic CAPTCHAs and verification steps to appear legitimate.
C2 infrastructure reveals patterns: The attackers use SSH, HTTP, and obscure ports like 3333 for hidden admin panels, often with permissive CORS (Cross-Origin Resource Sharing) headers.
SQL hunting helps identify new threats: Hunt.io’s rules surfaced 50+ related servers with similar infrastructure and code fingerprints.

To read the complete article see: Hunt.io