Fake macOS Troubleshooting Sites Used to Steal iCloud Data in ClickFix Scam

Microsoft Defender Security Research Team analyzed a ClickFix campaign that uses fake troubleshooting guides to trick Mac users into pasting Terminal commands that download and execute infostealer malware (examples: AMOS, Macsync, SHub Stealer). The malware harvests iCloud and Telegram data, private documents and photos, crypto wallet keys and saved browser credentials, can replace genuine crypto apps with trojanized versions, uses fileless execution to evade detection, and Apple added a macOS 26.4 warning to help block suspicious pasted commands.