On July 18, 2026, Netskope Threat Labs released a chilling report about a new macOS ClickFix malware campaign that’s slipping past traditional defenses by staying entirely in memory.
Key Takeaways
- The campaign uses a clipboard‑stealing script that drops a command into Terminal without writing a file.
- Victims see a fake System Preferences dialog that harvests passwords, cookies, and messaging data.
- The payload targets 25 desktop crypto wallets, replacing their binaries with trojanized versions that bypass Gatekeeper.
- Persistence is achieved via a disguised process called com.apple.accountsd that pings its C2 server every minute.
- Enterprises should ban Terminal use for most users and ramp up security awareness training.
Historical Context
MacOS has not always been seen as a soft target. Early campaigns such as Flashback and XcodeGhost demonstrated that attackers could corrupt trusted software updates to gain footholds on Apple devices. Those incidents relied on persistent binaries that lived on disk and were eventually caught by signature‑based scanners.
When the industry shifted toward “fileless” techniques, the focus moved from static payloads to living memory. Attackers began abusing native macOS utilities—AppleScript, Automator, and the command‑line tool “osascript”—to execute malicious code without ever touching the filesystem. This evolution forced security teams to reconsider what “presence” means on a Mac.
ClickFix builds on that lineage. Instead of exploiting a zero‑day vulnerability, it uses the user’s own Terminal session. The approach mirrors tactics seen in Windows‑only fileless attacks, yet it adapts them to the macOS sandbox model. The result is a hybrid threat that feels familiar to seasoned defenders but novel enough to slip past many existing controls.
macOS ClickFix malware: How a fileless chain evades defenses
The attack starts with a classic social‑engineering trick: a fake website that pretends to be a macOS optimization utility or a GitHub repository. When users click a copy button, malicious JavaScript silently copies a Terminal command to their clipboard. The victim then pastes the command, believing it’s harmless.
That command pulls a script that lives only in RAM. Because there’s no file on disk, standard anti‑malware scanners can’t spot it. It’s a clever move that shows attackers are leaning on macOS’s own toolchain instead of hunting for zero‑day exploits.
Social engineering at scale
Attackers host compromised pages that mimic legitimate services, even localized IT support portals. Netskope observed fake macOS optimization pages, bogus GitHub repos, and counterfeit IT help sites. The common thread is a clear instruction: copy the command, paste it into Terminal.
That instruction looks innocuous, but the reality is far darker. Once the script runs, a second payload appears as a System Preferences window asking for the user’s macOS password to “update settings.”
Fileless infection: Clipboard hijacking and in‑memory execution
When the victim submits their password, the malware unlocks the macOS keychain and begins siphoning saved passwords, session cookies, and data from messaging apps. Because the payload never writes to disk, forensic analysis becomes a nightmare.
That’s the catch. The attackers bypass the Gatekeeper checks that normally block unsigned binaries. By staying in memory, they avoid the usual detection triggers.
Why fileless matters
Traditional endpoint protection relies on scanning files for known signatures. A fileless attack sidesteps that model entirely. Enterprises that depend on signature‑based tools are suddenly blind to this threat.
It didn’t work for the attackers if the user refused to paste the command. That single decision can stop the infection dead in its tracks.
Crypto wallet takeover: Targeting 25 desktop wallets
The campaign goes a step further by zeroing in on desktop crypto wallets. The malware kills the legitimate wallet app, overwrites its core bundle with a trojanized version, and forces an ad‑hoc code signature.
Because the signature appears structurally valid, macOS Gatekeeper doesn’t raise an alert. Users see no warning, and the malicious wallet launches as if nothing’s wrong.
Security experts warn that anyone holding substantial crypto should avoid single‑sig wallets. The report underscores that even a “fileless” threat can have tangible financial consequences.
Persistence via a fake Apple account process
To keep a foothold, the malware installs a background configuration file masquerading as an Apple system account process named com.apple.accountsd. That process pings the command‑and‑control server every minute, maintaining a beacon that lets attackers execute arbitrary code at any time.
Because the process looks like a legitimate macOS service, it can blend in with other system daemons, making it hard for admins to spot without deep inspection.
What makes this persistence scary?
It isn’t a one‑off data grab; it’s a long‑term backdoor. Even if the initial payload is detected, the hidden process can re‑inject the malicious code later.
Adoption Timeline and Detection Challenges
Early sightings of ClickFix appeared in corporate threat‑intel feeds within weeks of the Netskope release. By the time analysts published the full report, several organizations had already observed anomalous clipboard events. The speed of adoption mirrors previous fileless campaigns that exploited trusted user actions.
Detection hinges on monitoring runtime behavior rather than static artifacts. Tools that track launchd job registrations, unusual network beacons, or rapid changes to the keychain are better positioned to flag the intrusion. However, many enterprises still rely on AV signatures that only trigger when a file is written to disk.
Because the malicious code resides in memory, memory‑dump analysis becomes the primary forensic method. That approach requires privileged collection and can be disruptive in production environments. so, many teams are still developing playbooks to respond to such threats.
Implications for enterprise security
9to5Mac’s take is that the attackers aren’t relying on obscure vulnerabilities. They’re simply abusing native macOS tools against the user. That means the biggest defense is still the human element.
Continuous security training becomes critical. Users must never paste unknown commands into Terminal, no matter how convincing the site looks.
You could argue that restricting Terminal access for most roles might become the default policy. That’s a tough trade‑off for developers who need shell access, but the risk is real.
- Enforce least‑privilege policies for Terminal use.
- Implement web filtering that blocks known malicious domains.
- Deploy endpoint detection that monitors anomalous clipboard activity.
- Regularly audit system daemons for unexpected entries like com.apple.accountsd.
What This Means For You
If you manage a fleet of Macs, start by disabling Terminal for non‑technical staff. Use mobile device management tools—like Mosyle, which powers Apple @ Work—to push that restriction centrally.
For developers who need Terminal, consider sandboxed environments or secure shells that log every command. Pair that with real‑time alerts when a clipboard copy originates from an untrusted site.
Lastly, audit any crypto wallet installations on corporate machines. Replace single‑sig wallets with multi‑sig solutions that require hardware confirmation, reducing the payoff for attackers who manage to replace the binary.
Scenario one: a finance analyst receives a phishing email that links to a fake “macOS cleanup” page. The copy‑button instruction lands a hidden command in the clipboard. By enforcing a policy that blocks Terminal for all finance users, the organization eliminates the attack vector before it reaches the analyst’s machine.
Scenario two: a software engineering team works remotely and needs frequent Terminal access. Their MDM profile grants them a custom “secure shell” that records every pasted command. When a malicious command is detected, an automated alert triggers a forced logout and initiates a forensic snapshot of the affected endpoint.
Scenario three: an IT department discovers an unauthorized process named com.apple.accountsd during a routine daemon audit. Because the team has a baseline inventory of expected services, the anomaly is flagged immediately, and the process is terminated before it can re‑establish a C2 beacon.
Looking ahead, we’ll likely see more fileless campaigns that use native OS features. The question is whether enterprises will adapt their defenses fast enough to keep pace.
Key Questions Remaining
How will macOS updates address the underlying mechanisms that enable clipboard hijacking? Will Apple introduce stricter validation for commands that originate from the clipboard, or will the responsibility remain with the user?
What level of visibility can existing EDR solutions provide into in‑memory execution without impacting system performance? Vendors are beginning to offer memory‑behavior analytics, but adoption is still uneven across the market.
Can organizations balance developer productivity with the need to restrict Terminal usage? Finding a middle ground that protects users while preserving the agility of software teams will be a defining challenge for security leaders.
Sources: 9to5Mac, Netskope Threat Labs

