ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Microsoft describes an active macOS-focused infostealer campaign (ClickFix) that lures users into pasting Base64-encoded Terminal commands hosted on blogs and note platforms; these commands load in-memory AppleScript or shell loaders that install infostealers (MacSync, SHub, AMOS), steal Keychain, browser and iCloud data, exfiltrate cryptocurrency wallets, and sometimes replace wallet apps with trojanized versions. The report details three execution paths (loader, script, helper), persistence via LaunchAgents/LaunchDaemons, C2 discovery (including Telegram fallback), extensive IoCs (domains, IPs, hashes, file paths), and recommended detection and mitigation steps.