ClickFix macOS attack silently drops info-stealers via DMGs

Emily Davis · 2026-06-23

A new macOS ClickFix campaign is making waves by using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. This isn't your typical phishing attempt—it's a clever social engineering trick that preys on users' trust in system prompts. ### How the attack works The attack starts with a fake error message or system alert that looks legitimate. You're told something's wrong—like a missing font or a corrupted file—and prompted to "fix" it by running a Terminal command. Innocent enough, right? But that command actually triggers a chain reaction: it downloads a DMG from a remote server, mounts it, and executes the malware inside. Think of it like this: someone hands you a tool to fix a leaky pipe, but that tool is actually a tiny robot that steals your wallet while you're distracted. The DMG is the toolbox, and the malware is the robot. ### Why this is dangerous - **No user interaction beyond the initial click**: Once you run the command, everything happens in the background. You might not even notice anything unusual. - **Silent execution**: The malware doesn't pop up windows or ask for permissions. It just quietly runs, stealing passwords, credit card numbers, and other sensitive data. - **Bypasses traditional defenses**: Because the attack uses legitimate macOS features (Terminal, disk mounting), it can slip past antivirus software that's looking for more obvious threats. ### Who's at risk? Anyone using macOS is a potential target, but professionals in digital privacy, cybersecurity, and antidetect browsing should be especially vigilant. If you're handling multiple accounts, managing online identities, or working with sensitive data, a single infection could compromise everything. ### How to protect yourself 1. **Never run Terminal commands from unverified sources**—especially not from pop-ups or emails. If something feels off, it probably is. 2. **Keep your macOS and security tools updated**. Apple regularly patches vulnerabilities, but you have to install those updates. 3. **Use an antidetect browser** to add an extra layer of separation between your real system and risky downloads. Think of it as a virtual sandbox for your browsing activity. 4. **Enable Gatekeeper** and consider using third-party security apps that monitor for unusual processes. ### What to do if you think you've been hit If you accidentally ran a suspicious command, disconnect from the internet immediately. Then run a full malware scan using trusted software. Change your passwords from a clean device, and consider enabling two-factor authentication everywhere. ### The bigger picture This ClickFix campaign is a reminder that attackers are getting smarter. They're not just sending spammy emails anymore—they're crafting attacks that feel personal and urgent. The best defense is a healthy dose of skepticism and the right tools. Stay safe out there. And remember: if a pop-up tells you to fix something by typing in Terminal, close it and walk away.