SOC Prime Bias: High

25 Nov 2025 14:59 UTC

Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Clickfix on macOS: AppleScript Malware Campaign Uses Terminal Prompts to Steal Data
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

The AppleScript malware campaign targets macOS users via a ClickFix technique by persuading them to manually execute base64-decoded shell commands in Terminal. These commands retrieve an AppleScript stealer that harvests browser data, cryptocurrency wallets, local documents, and other sensitive information, then exfiltrates it to attacker-controlled servers. Because no traditional binary is written to disk, the activity is harder to spot with classic AV. The operation relies on multiple deceptive domains and unusual service ports for command-and-control traffic.

AppleScript Campaign Analysis

Researchers examined the phishing websites, the JavaScript responsible for delivering the payload, and the AppleScript used for collection and exfiltration. Infrastructure mapping uncovered domains such as cryptoinfo-news.com and odyssey1.to, along with services exposed on ports 22, 80, 3333, and 5201. The AppleScript payload packages stolen data into a ZIP file at /tmp/out.zip and uses curl to upload it to a remote endpoint.

Mitigation

Defenders should block identified malicious domains and limit outbound connections on uncommon ports. Harden macOS hosts by restricting AppleScript and shell usage, monitoring for base64-d | bash execution patterns, and applying strict CORS controls in web environments. Security awareness training should highlight phishing pages that instruct users to copy-paste and run Terminal commands.

Response

When these indicator patterns are detected, notify the SOC, isolate the affected system, and capture temporary artifacts and shell history. Perform a forensic review of the /tmp directory, quarantine any suspicious ZIP archives, and correlate outbound traffic with the known C2 servers and ports identified in the campaign.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative directly reflect the identified TTPs and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. The attacker sends a phishing email containing the one‑liner:

      echo "cHJpbnQoJ0NhdXNlJykK" | base64 -d | bash

      (The payload decodes to print('Cause') – a placeholder for any malicious Bash script.)

    2. An unsuspecting user copies the line and pastes it into Terminal.

    3. macOS spawns a bash process whose command line exactly matches the pattern base64 -d | bash, satisfying the Sigma rule’s selection.

    4. The Bash interpreter executes the decoded payload, completing the malicious action (e.g., establishing a reverse shell, downloading additional tools).

  • Regression Test Script: The script below automates steps 1‑3, reproducing the telemetry needed for validation.

    #!/bin/bash
    # -------------------------------------------------
    # Simulate macOS Base64‑decode‑and‑Bash execution
    # -------------------------------------------------
    # Base64‑encoded payload (prints “Compromise”)
    PAYLOAD="cHJpbnQoJ0NvbXByb21pc2UnKQ=="
    
    # Execute the one‑liner exactly as an attacker would
    echo "$PAYLOAD" | base64 -d | bash
    
    # Exit with the status of the Bash command
    exit $?
  • Cleanup Commands: Remove any temporary files or background processes that may have been created by the payload (replace with payload‑specific cleanup if needed).

    #!/bin/bash
    # Simple cleanup – ensure no stray Bash child processes remain
    pkill -f "base64 -d | bash" 2>/dev/null
    # If the payload created files, delete them (example placeholder)
    rm -f /tmp/malicious_script.sh 2>/dev/null