⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

Terminal

Terminal is the default command-line interface in macOS. In ClickFix-style attacks, malicious fake CAPTCHA websites abuse social engineering to trick users into pasting clipboard commands into Terminal, leading to installation of infostealers like Atomic macOS Stealer (AMOS) and its variants such as Shamos.

mac cli CLI Credential Theft Data Exfiltration Persistence

Alternative Verification – AMOS

Try Example
CLI Credential Theft Persistence

Victims are shown a fake CAPTCHA that repeatedly fails. The page then offers "Alternative Verification" instructions, which silently copy a malicious shell command to the clipboard.

  1. Press Cmd-Space to open Spotlight

  2. Type Terminal and press Enter

  3. Press Cmd-V to paste the verification command

  4. Press Enter to execute

References:

Mitigations:

  • Educate users to never paste commands from web pages into Terminal

  • Monitor for suspicious Terminal child processes (curl, bash, base64 decode)

  • Deploy endpoint detection for AMOS-specific IOCs

Contributor: Michael Haag (2025-09-09)

Fake GitHub Verification – Shamos

Try Example
CLI Credential Theft Data Exfiltration

Victims browsing GitHub or clicking malicious ads encounter a fake verification prompt. The site copies a malicious command to clipboard, leading to Shamos execution.

  1. Press Cmd-Space to open Spotlight

  2. Type Terminal and press Enter

  3. Press Cmd-V to paste the verification command

  4. Press Enter to execute

References:

Mitigations:

  • Warn users against running commands from websites into Terminal

  • Deploy EDR rules to flag suspicious curl/bash activity spawned by Terminal

  • Block persistence mechanisms used by Shamos (launch agents, cron jobs)

Contributor: Michael Haag (2025-09-09)