MacOS ClickFix Campaign Establishing a Persistent Backdoor

    Date: 07/09/2026

    Severity: High

    Summary

    Victims are redirected via malicious advertisements or search results to fake CAPTCHA pages that use social engineering to trick them into copying and executing a malicious Bash command in the macOS Terminal. The downloaded update.sh script establishes persistence by installing a LaunchAgent through osascript and deploys a backdoor that executes at every user login. The campaign leverages clipboard, AppleScript, LaunchAgents, and multi-stage malware delivery to compromise macOS systems.

    Indicators of Compromise (IOC) List

    Domain/URLs

    browseraccess4.pages.dev

    goprocessing-1exo.pages.dev

    justamomentonenit.pages.dev

    securesession2.pages.dev

    trustbridge-secureidentitygatewayv2.pages.dev

    verifly-identitycheckv2proceed.pages.dev

    verifly-instant-idcheckv2.pages.dev

    vp-secureidgateway.pages.dev

    https://alph6b4.uploadphrase.top//update.sh

    https://content-edge01.betgo.pro//update.sh

    https://etas7zeh.scabbysurvey.top//update.sh

    https://januic.dumanbett.co//update.sh

    https://marezf.jackknifeautomaker.top//update.sh

    https://member-portal01.linebetfa.com//update.sh

    https://onliwp.303ine.com//update.sh

    https://results-center01.pishbini.win//update.sh

    https://systdg5o.enobahiss.xyz//update.sh

    https://grabora.org/6a498a11cdbc7628e6723743?clickid=1097824619282313217&campaignid=11209365&zoneid=5578752&cost=0.000950&os=mac&browser=chrome

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    domainname like "verifly-instant-idcheckv2.pages.dev" or url like "verifly-instant-idcheckv2.pages.dev" or siteurl like "verifly-instant-idcheckv2.pages.dev" or domainname like "https://content-edge01.betgo.pro//update.sh" or url like "https://content-edge01.betgo.pro//update.sh" or siteurl like "https://content-edge01.betgo.pro//update.sh" or domainname like "https://results-center01.pishbini.win//update.sh" or url like "https://results-center01.pishbini.win//update.sh" or siteurl like "https://results-center01.pishbini.win//update.sh" or domainname like "verifly-identitycheckv2proceed.pages.dev" or url like "verifly-identitycheckv2proceed.pages.dev" or siteurl like "verifly-identitycheckv2proceed.pages.dev" or domainname like "justamomentonenit.pages.dev" or url like "justamomentonenit.pages.dev" or siteurl like "justamomentonenit.pages.dev" or domainname like "https://member-portal01.linebetfa.com//update.sh" or url like "https://member-portal01.linebetfa.com//update.sh" or siteurl like "https://member-portal01.linebetfa.com//update.sh" or domainname like "goprocessing-1exo.pages.dev" or url like "goprocessing-1exo.pages.dev" or siteurl like "goprocessing-1exo.pages.dev" or domainname like "https://grabora.org/6a498a11cdbc7628e6723743?clickid=1097824619282313217&campaignid=11209365&zoneid=5578752&cost=0.000950&os=mac&browser=chrome" or url like "https://grabora.org/6a498a11cdbc7628e6723743?clickid=1097824619282313217&campaignid=11209365&zoneid=5578752&cost=0.000950&os=mac&browser=chrome" or siteurl like "https://grabora.org/6a498a11cdbc7628e6723743?clickid=1097824619282313217&campaignid=11209365&zoneid=5578752&cost=0.000950&os=mac&browser=chrome" or domainname like "https://januic.dumanbett.co//update.sh" or url like "https://januic.dumanbett.co//update.sh" or siteurl like "https://januic.dumanbett.co//update.sh" or domainname like "https://marezf.jackknifeautomaker.top//update.sh" or url like "https://marezf.jackknifeautomaker.top//update.sh" or siteurl like "https://marezf.jackknifeautomaker.top//update.sh" or domainname like "https://onliwp.303ine.com//update.sh" or url like "https://onliwp.303ine.com//update.sh" or siteurl like "https://onliwp.303ine.com//update.sh" or domainname like "trustbridge-secureidentitygatewayv2.pages.dev" or url like "trustbridge-secureidentitygatewayv2.pages.dev" or siteurl like "trustbridge-secureidentitygatewayv2.pages.dev" or domainname like "https://systdg5o.enobahiss.xyz//update.sh" or url like "https://systdg5o.enobahiss.xyz//update.sh" or siteurl like "https://systdg5o.enobahiss.xyz//update.sh" or domainname like "browseraccess4.pages.dev" or url like "browseraccess4.pages.dev" or siteurl like "browseraccess4.pages.dev" or domainname like "securesession2.pages.dev" or url like "securesession2.pages.dev" or siteurl like "securesession2.pages.dev" or domainname like "https://alph6b4.uploadphrase.top//update.sh" or url like "https://alph6b4.uploadphrase.top//update.sh" or siteurl like "https://alph6b4.uploadphrase.top//update.sh" or domainname like "vp-secureidgateway.pages.dev" or url like "vp-secureidgateway.pages.dev" or siteurl like "vp-secureidgateway.pages.dev" or domainname like "https://etas7zeh.scabbysurvey.top//update.sh" or url like "https://etas7zeh.scabbysurvey.top//update.sh" or siteurl like "https://etas7zeh.scabbysurvey.top//update.sh"

    Reference:  

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-07-08-macOS-ClickFix-campaign.txt 


    Tags

    MalwareClickFixBackdoorSocial EngineeringClipboard injection

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags