SOC Prime Bias: Medium

22 Apr 2026 18:47
newspaper icon Netskope

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

Author Photo
SOC Prime Team linkedin icon Follow
macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Netskope Threat Labs has identified a cross-platform ClickFix campaign that targets macOS users with an AppleScript-based infostealer. The malware is delivered through a deceptive social-engineering page that convinces victims to copy and paste a malicious command into Terminal. Once executed, the script collects keychain contents, browser cookies, extension data, and cryptocurrency wallet files, then sends the stolen information out through HTTP POST requests. The campaign also uses persistent fake dialog boxes to trick users into entering their system password.

Investigation

The report explains that the malicious landing page first filters visitors by user agent before serving an AppleScript loader specifically tailored for macOS systems. After execution, the malware creates a temporary staging directory, gathers credentials and wallet-related data, compresses the collected files with the ditto command, and uploads the archive to a hard-coded command-and-control address. Researchers also documented the abuse of macOS Directory Services to validate the victim’s password in real time, along with the wide range of targeted browsers and cryptocurrency wallet applications.

Mitigation

Netskope recommends that macOS users update to the latest versions of macOS Tahoe 26.4 or macOS Sequoia, which introduce native Terminal warnings for pasted commands. Users should also avoid running commands copied from untrusted websites, verify all credential prompts carefully, and enable multi-factor authentication wherever possible. Organizations are encouraged to monitor for suspicious AppleScript-driven dialogs and unusual HTTP POST traffic headed to unfamiliar infrastructure.

Response

Defenders should detect and block execution of unknown AppleScript files and watch for creation of the /tmp/xdivcmp/ staging directory. Alerts should also be configured for HTTP POST activity from macOS systems to uncommon domains or IP addresses. Any recurring dialog boxes requesting system passwords should be treated as suspicious, and affected endpoints should be isolated promptly for forensic investigation.

"graph TB %% Class definitions classDef technique fill:#ffcc99 %% Node definitions t_phish["<b>Technique</b> – <b>T1566 Phishing</b><br/><b>Description</b>: Send malicious emails containing a copyu2011paste command to lure the victim."] class t_phish technique t_userexec["<b>Technique</b> – <b>T1204.004 User Execution: Malicious Copy and Paste</b><br/><b>Description</b>: Victim copies and pastes the malicious command into a terminal session."] class t_userexec technique t_unixshell["<b>Technique</b> – <b>T1059.004 Command and Scripting Interpreter: Unix Shell</b><br/><b>Description</b>: Execute a shell command that downloads and runs an AppleScript payload."] class t_unixshell technique t_obfusc["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Encode the shell command to hide its malicious intent."] class t_obfusc technique t_inputcap["<b>Technique</b> – <b>T1056 Input Capture</b><br/><b>Description</b>: Persistent AppleScript dialog captures the macOS user password."] class t_inputcap technique t_oscred["<b>Technique</b> – <b>T1003 OS Credential Dumping</b><br/><b>Description</b>: Use the captured password to decrypt the macOS Keychain."] class t_oscred technique t_passmgr["<b>Technique</b> – <b>T1555.005 Credentials from Password Stores: Password Managers</b><br/><b>Description</b>: Extract stored vault data from installed password managers."] class t_passmgr technique t_webbrowser["<b>Technique</b> – <b>T1555.003 Credentials from Password Stores: Web Browsers</b><br/><b>Description</b>: Steal saved passwords and autofill data from browser stores."] class t_webbrowser technique t_webcookie["<b>Technique</b> – <b>T1539 Steal Web Session Cookie</b><br/><b>Description</b>: Harvest session cookies from twelve web browsers."] class t_webcookie technique t_altauth["<b>Technique</b> – <b>T1550.004 Use Alternate Authentication Material: Web Session Cookie</b><br/><b>Description</b>: Reu2011use stolen cookies to bypass multiu2011factor authentication."] class t_altauth technique t_browserdisc["<b>Technique</b> – <b>T1217 Browser Information Discovery</b><br/><b>Description</b>: Locate browser profile directories on the host system."] class t_browserdisc technique t_staging["<b>Technique</b> – <b>T1074.001 Data Staged: Local Data Staging</b><br/><b>Description</b>: Aggregate harvested data in /tmp/xdivcmp."] class t_staging technique t_archive["<b>Technique</b> – <b>T1560 Archive Collected Data</b><br/><b>Description</b>: Compress the staged data into a zip file using ditto."] class t_archive technique t_exfil["<b>Technique</b> – <b>T1041 Exfiltration Over C2 Channel</b><br/><b>Description</b>: Transfer the zip archive via HTTP POST to a commandu2011andu2011control server."] class t_exfil technique t_filedel["<b>Technique</b> – <b>T1070.004 Indicator Removal: File Deletion</b><br/><b>Description</b>: Delete the staging directory after successful exfiltration."] class t_filedel technique t_diskwipe["<b>Technique</b> – <b>T1561 Disk Wipe</b><br/><b>Description</b>: Overwrite disk sectors to remove forensic traces."] class t_diskwipe technique %% Connections showing flow t_phish –>|leads_to| t_userexec t_userexec –>|leads_to| t_unixshell t_unixshell –>|uses| t_obfusc t_unixshell –>|uses| t_inputcap t_unixshell –>|uses| t_browserdisc t_inputcap –>|enables| t_oscred t_inputcap –>|enables| t_passmgr t_inputcap –>|enables| t_webbrowser t_inputcap –>|enables| t_webcookie t_webcookie –>|enables| t_altauth t_browserdisc –>|provides| t_staging t_staging –>|creates| t_archive t_archive –>|exfiltrates| t_exfil t_exfil –>|triggers| t_filedel t_filedel –>|triggers| t_diskwipe "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:

    1. Recon: The attacker first enumerates the current user’s keychain to identify stored items.
    2. Credential Dump: Using security dump-keychain, the attacker extracts the entire keychain database to a temporary file.
    3. Staging: The dump is copied into a hidden staging directory /tmp/.xdivcmp/ (mirroring the rule’s /tmp/xdivcmp/ path).
    4. Obfuscation: The staging directory is marked hidden (chflags hidden).
    5. Exfiltration Prep: Files are compressed into payload.zip ready for outbound transfer.

  • Regression Test Script:

    #!/bin/bash
set -euo pipefail

# 1. Create hidden staging directory (matches rule path)
STAGING_DIR="/tmp/.xdivcmp"
mkdir -p "$STAGING_DIR"
chflags hidden "$STAGING_DIR"

# 2. Dump the keychain (requires user interaction; simulated with a copy of the DB)
KEYCHAIN_SRC="/Users/$(whoami)/Library/Keychains/login.keychain-db"
KEYCHAIN_DUMP="${STAGING_DIR}/login.keychain-db.dump"

# Simulate dump by copying the DB (real attacker would use `security dump-keychain`)
cp "$KEYCHAIN_SRC" "$KEYCHAIN_DUMP"

# 3. Compress for exfil
zip -j "${STAGING_DIR}/payload.zip" "$KEYCHAIN_DUMP"

echo "[+] ClickFix simulation complete – staging artifacts placed in $STAGING_DIR"

  • Cleanup Commands:

    #!/bin/bash
set -euo pipefail

STAGING_DIR="/tmp/.xdivcmp"

if [[ -d "$STAGING_DIR" ]]; then
    rm -rf "$STAGING_DIR"
    echo "[+] Cleaned up staging directory."
else
    echo "[*] No staging directory found; nothing to clean."
fi

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free