Microsoft analyzed a ClickFix campaign that targeted macOS users with Macsync, Shub Stealer, and AMOS, using malicious commands hosted on blog and other user-generated content platforms to lure people seeking macOS help. The investigation identified 140 network IoCs and uncovered extensive DNS-related infrastructure, including typosquatting groups, likely malicious registrations, victim-related IP communications, and many email-connected domains later weaponized for attacks. #Macsync #ShubStealer #AMOS #ClickFix #Microsoft
Keypoints
- Microsoft published an in-depth analysis of a ClickFix campaign aimed at macOS users.
- The campaign delivered three infostealers: Macsync, Shub Stealer, and AMOS.
- Attackers hosted malicious commands on blog sites and other user-driven content platforms to exploit users searching for macOS troubleshooting advice.
- Researchers identified 140 network IoCs, later narrowing the investigation to 138 unique IoCs after filtering out legitimate and inactive items.
- DNS analysis found typosquatting groups, likely malicious domain registrations, and large numbers of historical domain-to-IP and IP-to-domain resolutions.
- Further hunting uncovered 691 email-connected domains, with 14 confirmed malicious, plus additional malicious IP-linked infrastructure.
- The report provides only a snapshot of the full research and references downloadable artifacts for deeper investigation.
MITRE Techniques
- [T1204.001 ] User Execution: Malicious Link – Attackers lured users searching for macOS help into interacting with malicious commands hosted on blog and user-driven content platforms (‘hosting their malicious commands in these sites’)
- [T1583.001 ] Acquire Infrastructure: Domains – The campaign used numerous domains and subdomains, including typosquatting and newly registered-looking infrastructure (‘121 domains’, ‘seven typosquatting groups’)
- [T1583.008 ] Acquire Infrastructure: Malvertising/Compromised Websites – Malicious content was hosted on legitimate publishing platforms to blend in with normal user-generated content (‘hosted on a legitimate publishing platform’)
- [T1566.002 ] Phishing: Spearphishing Link – The lure relied on deceptive advice pages and look-alike documentation to entice victims to follow malicious guidance (‘helpful advice on macOS-related issues’)
- [T1036.005 ] Masquerading: Match Legitimate Name or Location – Several subdomains impersonated trusted brands or docs, such as a fake Claude Code documentation page (‘possibly impersonates official Claude Code docs’)
Indicators of Compromise
- [Domains/Subdomains] malicious and suspicious infrastructure – apple-mac-fix-hidden[.]medium[.]com, claudecodedoc[.]squarespace[.]com, rapidfilevault4[.]cyou, rapidfilevault5[.]sbs, tmcnex[.]com, quantumdataserver5[.]homes, coco2-hram[.]com, res2erch-sl0ut[.]com
- [IP Addresses] network infrastructure and historical resolution data – 199[.]217[.]98[.]33, 141 additional IP addresses, and 8 IP IoCs total
- [Email Addresses] historical WHOIS contacts used for reverse WHOIS expansion – 375 unique email addresses, including 50 public email addresses
- [Email-connected Domains] domains linked through historical email records, some weaponized – woupp[.]com, atcoconst[.]com, cvols[.]com, ejecen[.]com, rvdownloads[.]com, and 687 more domains
- [DNS Resolution Data] historical domain/IP activity – ptrei[.]com (918 resolutions), aforvm[.]com (608 resolutions), lakhov[.]com (560 resolutions), jpbassin[.]com (515 resolutions)
- [Network Communication Data] observed victim and client communications – 11 client IPs communicated with 14 domain IoCs; 119 victim-owned IPs communicated with 5 IP IoCs