Microsoft Security Team: Fake macOS troubleshooting posts install cryptocurrency wallet stealers

According to market news, Microsoft's security research team has discovered that attackers have been inducing users to run malicious terminal commands by publishing fake macOS troubleshooting guides since the end of 2025, thereby stealing cryptocurrency wallets, iCloud data, and passwords saved in browsers.

These fake guides are published on platforms such as Medium, Craft, and Squarespace, targeting common user issues like freeing up disk space or fixing system errors, and tricking users into copying and pasting malicious commands into the terminal, which automatically downloads and runs malware. This social engineering technique, named ClickFix, bypasses macOS's Gatekeeper security mechanism because the victims are actively executing the commands.

The malware families involved include AMOS, Macsync, and SHub Stealer, which can steal cryptocurrency wallet keys from Exodus, Ledger, and Trezor, as well as usernames and passwords saved in Chrome and Firefox. In some cases, attackers also delete legitimate wallet applications and replace them with trojan versions. Apple has added a protective feature in macOS version 26.4 to prevent the pasting of potentially malicious commands.