EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

ClickFix malware campaign evolves to infect Macs via Script Editor

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-10 13:29 UTCUpdated 2026-04-10 15:02 UTC
rss
malwaremacossocial_engineeringinfostealer
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (2)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
ClickFix finds a new way to infect Macs
Malwarebytes Threat Analysis · News · malwarebytes.com · 2026-04-10 15:02 UTC
ClickFix campaign delivers Mac malware via fake Apple page
Help Net Security · News · helpnetsecurity.com · 2026-04-10 13:29 UTC
limited source diversity in top sources
View all evidence
Overview

The ClickFix malware campaign targeting Mac users has shifted tactics from tricking victims into pasting commands into Terminal to using the applescript:// URL scheme.

Entities
AppleJamfMalwarebytesClickFixAtomic StealerZeljka Zorz
Score total
1.01
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
  • The shift to Script Editor execution is recent, indicating active and evolving threats.
  • Users familiar with Terminal risks may be vulnerable to this new, simpler infection vector.
  • Security teams need to update detection and user education to address this new attack method.
Why it matters
  • ClickFix's new infection method lowers the barrier for users to execute malware, increasing infection risk.
  • Mac users may underestimate risks from scripts launched outside Terminal, requiring updated security awareness.
  • The campaign demonstrates ongoing evolution of social engineering tactics targeting macOS environments.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
  • ClickFix uses social engineering to trick Mac users into running malicious commands or scripts that download malware.
  • The campaign shifted from Terminal command execution to using the applescript:// URL scheme to auto-open Script Editor with a malicious script.
How sources frame it
  • Malwarebytes Threat Analysis: neutral
  • Help Net Security: neutral
This update highlights the evolving social engineering tactics used by ClickFix to infect Macs, emphasizing the need for continued user education and security monitoring.
All evidence
All evidence
ClickFix finds a new way to infect Macs
Malwarebytes Threat Analysis · malwarebytes.com · 2026-04-10 15:02 UTC
ClickFix campaign delivers Mac malware via fake Apple page
Help Net Security · helpnetsecurity.com · 2026-04-10 13:29 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • Malwarebytes Threat Analysis (1)
  • Help Net Security (1)
Top origin domains (this list)
  • malwarebytes.com (1)
  • helpnetsecurity.com (1)