{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections", "protected": false, "publish_timestamp": "1776783236", "published": true, "threat_level_id": "3", "timestamp": "1776783236", "uuid": "054d9ab8-2b7d-426b-b2ce-4095025a3771", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ac3eed", "local": false, "name": "misp-galaxy:producer=\"Netskope\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive via Utility - T1560.001\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#838eb9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keychain - T1555.001\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#3909cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Collection - T1119\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#89bea3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AppleScript - T1059.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#4a87cb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Image - T1204.003\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776769211", "to_ids": false, "type": "link", "uuid": "0964d3c4-2d39-4d22-ac92-3e09891dfebb", "value": "https://www.netskope.com/blog/macos-clickfix-campaign-applescript-stealers-new-terminal-protections" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776769211", "to_ids": false, "type": "text", "uuid": "0f6ef21e-d6a0-4402-986e-bec153136aa9", "value": "A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. The malware employs a persistent, non-closable dialog box mimicking legitimate system prompts to force victims into providing their system password. Stolen session cookies enable attackers to bypass multi-factor authentication by hijacking active sessions. The campaign uses client-side JavaScript to filter victims by user-agent, directing desktop users to OS-specific payloads while ignoring mobile devices. Latest macOS updates include native terminal security warnings designed to alert users against pasting potentially malicious commands." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776769211", "to_ids": false, "type": "text", "uuid": "f32c962c-e41c-4c06-94e4-471ba2637acd", "value": "Name: macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections\nAuthor: AlienVault\nAdversary: \nTags: [\"clickfix\", \"macos\", \"session hijacking\", \"credential harvesting\", \"cryptocurrency wallet theft\", \"applescript\", \"social engineering\", \"browser data exfiltration\", \"infostealer\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1560.001\", \"T1056.001\", \"T1539\", \"T1036.005\", \"T1555.001\", \"T1497.001\", \"T1119\", \"T1082\", \"T1059.002\", \"T1005\", \"T1555\", \"T1555.003\", \"T1552.001\", \"T1041\", \"T1566\", \"T1204.003\", \"T1027\", \"T1070.004\", \"T1027.002\", \"T1071.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776344", "to_ids": true, "type": "hostname", "uuid": "01589667-af89-4730-9132-e53ebb60cd25", "value": "gen.detect.by.nscloudsandbox.tr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776365", "to_ids": true, "type": "ip-dst", "uuid": "f0bb032c-aa85-48b6-ae82-4403b0d4f9c7", "value": "172.94.9.250", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776387", "to_ids": true, "type": "domain", "uuid": "6a259894-4c6e-4407-8720-2d995663d890", "value": "bull-run.fun", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776408", "to_ids": true, "type": "domain", "uuid": "086887ad-b1ef-4adf-a94c-d674d0b64a0e", "value": "spot-wave.fun", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773645", "to_ids": true, "type": "md5", "uuid": "c250b9f4-2de4-498e-bbe9-e086b2e2f76a", "value": "e12285f507c847b986233991b86b22e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776429", "to_ids": true, "type": "url", "uuid": "1b9c7bb5-e26f-4a8f-92ed-64c0b416c6e7", "value": "https://bull-run.fun/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776451", "to_ids": true, "type": "url", "uuid": "a29591d8-a42d-474a-a447-a4d612f81f52", "value": "https://spot-wave.fun/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773647", "to_ids": true, "type": "sha256", "uuid": "48c8e3d3-2a67-44f0-b4ab-a0ef4f23448b", "value": "c07a15640065580e3bbff86eb567050e1a9e9847e2034ff00953ce7eeb2eec41", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776776472", "to_ids": true, "type": "url", "uuid": "d0d5b1a0-3969-4c6c-ab04-3d15e8df67a3", "value": "http://172.94.9.250/d/xxx10108", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776776493", "uuid": "60df5eca-e538-41e8-8a54-a89472b31b9e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776776493", "to_ids": true, "type": "md5", "uuid": "f421e78d-08b0-4c64-aed6-554fceb4a22c", "value": "a5d6068e7234184c51060bbb21b86f84", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776773645", "to_ids": true, "type": "sha1", "uuid": "fdaed93d-0c0b-4db8-9256-2cc6f42ac80a", "value": "39332ee27c8bec263cb6039c6b11964eee96faee", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776773645", "to_ids": true, "type": "sha256", "uuid": "bfdfbf02-cf84-46b5-8eaf-70106b4e8494", "value": "77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776773321", "to_ids": true, "type": "ssdeep", "uuid": "721abc69-0f49-402d-bc69-66509ede1b20", "value": "192:OONm3TC/T4iiiMQupKNYYDyeVXTWFoDv6ueH1JMm+PgYSEhPWZXpcMbXEGnVI0d1:XmBeYsXXCoDv6C3PgeiCE9nz43K5Z" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776773321", "to_ids": false, "type": "size-in-bytes", "uuid": "53ea312e-6e37-4a3c-94d5-8420d27c57b5", "value": "16536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776773321", "to_ids": true, "type": "filename", "uuid": "2d390d52-bc84-491d-8d17-7dd5cec05d94", "value": "xxx71397" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 21/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776773321", "to_ids": false, "type": "text", "uuid": "f20b13e2-b720-467a-bfc1-08628de8d693", "value": "Type Description: Text\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:26/62\nFirst Submission:2026-03-13T18:15:47.000000+00:00\nLast Submission:2026-03-13T18:15:47.000000+00:00" } ] } ] } }