ClickFix Campaign Delivers macOS Infostealer Via DMG

    Monday, June 22, 2026 In: Threat Research Print

    Date: 06/22/2026

    Severity: High

    Summary

    The attack begins with a fake CAPTCHA page that socially engineers macOS users into executing a malicious Terminal command, which downloads and launches a hidden DMG-based malware installer from attacker-controlled infrastructure. The payload, NNApp, is a sophisticated macOS information stealer that uses credential phishing, browser data theft, keychain extraction, and cryptocurrency wallet harvesting to collect sensitive information. It targets major Chromium- and Firefox-based browsers, messaging applications such as Telegram and Discord, and numerous cryptocurrency wallets including Exodus, Electrum, and Binance. Stolen data is compressed and exfiltrated to C2 servers, while persistence is established through LaunchAgents. The malware also supports wallet application replacement (Ledger Live, Trezor Suite), making it a significant threat to both user credentials and cryptocurrency assets.

    Indicators of Compromise (IOC) List

    IPAddress:

    178.16.52.101

    196.251.107.171

    Domain/URL:

    svs-verificationdate.beer

    fewfwfwfwfwf.info

    http://svs-verificationdate.beer/f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670

    https://fewfwfwfwfwf.info

    http://196.251.107.171

    Hash:

    25b6fc4f9c54a28ba7bfc4dfeafb62c99b59ea6f0d17679219b876b321965095

    067ad6221b2224d5cdb64e51c5516132d820cf4d7edf9ec170643943e79c04b7

    d6f479736ba55d3c4e895c4940d035cf772f3192fb8dc496f09a801aed16d970

    833008c03d40422192051584d829d730497108bef31751cceb0cc043dd96bbfb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("196.251.107.171","178.16.52.101") or srcipaddress IN ("196.251.107.171","178.16.52.101")

    Detection Query 2 :

    domainname like "http://svs-verificationdate.beer/f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670" or url like "http://svs-verificationdate.beer/f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670" or siteurl like "http://svs-verificationdate.beer/f0038a5f46720da5982b6984ceef10cf99359432e102b12a0b0657498d36f670" or domainname like "svs-verificationdate.beer" or url like "svs-verificationdate.beer" or siteurl like "svs-verificationdate.beer" or domainname like "http://196.251.107.171" or url like "http://196.251.107.171" or siteurl like "http://196.251.107.171" or domainname like "https://fewfwfwfwfwf.info" or url like "https://fewfwfwfwfwf.info" or siteurl like "https://fewfwfwfwfwf.info" or domainname like "fewfwfwfwfwf.info" or url like "fewfwfwfwfwf.info" or siteurl like "fewfwfwfwfwf.info"

    Detection Query 3 :

    sha256hash IN ("d6f479736ba55d3c4e895c4940d035cf772f3192fb8dc496f09a801aed16d970","25b6fc4f9c54a28ba7bfc4dfeafb62c99b59ea6f0d17679219b876b321965095","833008c03d40422192051584d829d730497108bef31751cceb0cc043dd96bbfb","067ad6221b2224d5cdb64e51c5516132d820cf4d7edf9ec170643943e79c04b7")

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-06-20-ClickFix-campaign-delivers-macOS-infostealer-via-DMG.txt 


    Tags

    MalwareClickFixStealerPhishingSocial EngineeringcryptocurrencyCredential HarvestingExfiltrationTelegramDiscord

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.