Join us at Black Hat and discover how we’re reshaping the cybersecurity landscape. Learn More

ClickFix on macOS: Blockchain-Powered Infostealer Hidden Inside Compromised Websites

You're browsing a legitimate small business website. Before the page loads, a familiar Cloudflare box appears: "Verify you are human." It asks you to open Terminal, paste a code, and press Enter. You've seen this before. You follow the steps. The page loads normally.

What just happened in the background was a three-stage infostealer silently plundering your Mac's Keychain, browser data, and SSH keys, then exfiltrating everything to an attacker server.

This technique is called ClickFix, and this campaign is a solid example of how the attack has been refined not only for Windows but for macOS targets.

 

What Sets This Campaign Apart?

What sets this campaign apart is the infrastructure behind it: the C2 server URL is stored on the Polygon blockchain, making it virtually immune to DNS-level takedowns. Paired with a macOS-focused payload delivered through a modular malware-as-a-service (MaaS) kit, this is ClickFix operating at a new level of sophistication.

 

The Scale of the Compromise

We identified hundreds of compromised websites sharing the same malicious injection. From restaurants, dental practices, law firms, construction companies, charities, and more across North America, Europe, Asia-Pacific, and South America. All run WordPress. All were likely compromised through stolen CMS credentials or vulnerable plugins.

This is not a targeted campaign. The attackers are compromising any accessible WordPress site at scale, using each one as a delivery platform against its own visitors.

 

ClickFix Attack Flow on macOS

undefined-Jul-16-2026-12-43-22-3091-PM
Figure 1. ClickFix macOS campaign attack chain.

 

How the Attack Works

1. Blockchain C2 Resolution

When a victim lands on a compromised site, the injected script doesn't fetch a hardcoded domain, but it queries a Polygon smart contract (e.g., 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308) across six redundant public remote procedure call (RPC) endpoints to retrieve the command-and-control (C2) URL:

undefined-Jul-16-2026-12-43-23-5460-PM
Figure 2. Querying a Polygon smart contract to retrieve the C2 URL.

The C2 URL lives on an immutable public blockchain. You cannot take it down by seizing a domain or pushing a DNS block. This is the malicious EtherHiding technique applied to a ClickFix campaign.

 

2. Fingerprinting and Iframe Overlay

Once the C2 URL is resolved, the script fingerprints the visitor's OS and injects a full-screen iframe from superstarlog[.]click or superboomer[.]world, serving a platform-specific landing page:

OS

Landing Page

Active payload?

macOS

/landing/mac.html

Yes — full infostealer

Windows

/landing/windows.html

Yes — full infostealer

Linux

/landing/linux.html

No — "not supported" dead end

iOS / Android

/landing/ios.html/
/landing/android.html

Nothing

 

The Iframe Takeover

The ClickFix overlay is not rendered directly by the injected script. Instead, the script injects a full-screen iframe pointing to the attacker's landing page at superstarlog[.]click:

undefined-Jul-16-2026-12-43-24-5132-PM
Figure 3. Full screen iframe pointing to the threat actor’s landing page, superstarlog[.]click.

Dedicated to hunting and eradicating the world's most challenging threats.

SpiderLabs

Three details matter here:

  • z-index: 2147483647 - The maximum possible CSS stacking value. The iframe sits on top of everything on the page, covering it entirely with a white background. From the victim's perspective, the website simply hasn't loaded yet.

  • allow="clipboard-write" - This is the crux of the attack. Normally, a cross-origin iframe cannot access the parent page's clipboard. The allow attribute explicitly grants it permission. The legitimate page unknowingly delegates clipboard access to the attacker's domain. No browser warning is shown. No permission prompt appears. The malicious command is silently written to the clipboard the moment the page loads or when the victim interacts with the fake CAPTCHA.

  • src=<Infected Host> - The victim's hostname is passed to the attacker's server as a query parameter, enabling per-site tracking and analytics on which compromised sites are generating victims.

When the victim "completes the verification", the iframe sends a postMessage event (cf-captcha-verified) to the parent page, which dismisses the overlay and sets two suppression cookies ( _cf_verified and _wp_perf_ok ) with a 90-day expiry. The victim will not see the overlay again if they return to the site.

How the Overlay Looks Across Platforms

  • macOS - The fake CAPTCHA instructs the user to open Terminal (⌘ + Space), paste, and press Return.

undefined-Jul-16-2026-12-43-24-8343-PMFigure 4. macOS ClickFix fake CAPTCHA instructions.

  • Windows - The prompt is adapted for Windows, directing the user to open the Run dialog (Win + R) or PowerShell.

undefined-Jul-16-2026-12-43-23-2110-PM
Figure 5. Windows ClickFix fake CAPTCHA instructions.

  • Linux - Visitors see a brief "not supported" message and no payload is delivered.

undefined-Jul-16-2026-12-43-22-8538-PM
Figure 5. Linux verification ‘not supported’ message.

The fake Cloudflare modal on macOS instructs the user to open Terminal and paste. The clipboard already contains the malicious command, which was placed there the moment the page loaded.

 

3. The Clipboard Command

Pasting into Terminal executes:

undefined-Jul-16-2026-12-43-23-8614-PM
Figure 6. The malicious command pasted on Terminal executes a curl request to genomicsforge[.]com.

The echo line prints the "verification" text as a cover. The real action is a curl request to genomicsforge[.]com that downloads and immediately pipes a shell script to zsh — never touching disk.

 

4. The Obfuscated Dropper

The downloaded script is a gzip-compressed, Base64-encoded payload that decompresses and evals itself entirely in memory:

undefined-Jul-16-2026-12-43-22-6304-PM
Figure 7. gzip-compressed and Base64-encoded payload.

No file is written. No hash to catch.

 

5. The MacOS Infostealer

The decoded payload is a daemon that silences all input/output (I/O), detaches from the terminal, and calls back to genomicsforge[.]com for an AppleScript payload (on macOS) executed via osascript:

undefined-Jul-16-2026-12-43-24-1708-PM
Figure 8. The decoded malicious payload.

Via osascript, the attacker can read files, access the macOS Keychain, capture screenshots, and automate GUI apps to export saved passwords. The collected data is saved to /tmp/osalogging.zip.

The zip is then exfiltrated to genomicsforge[.]com/gate in 10 MB chunks with up to 8 retries per chunk — engineering consistent with large data volumes like full browser profiles or screen recordings. After a successful upload, the zip is deleted.

 

What To Do

  • If you run a WordPress site: Audit injected <script> tags, rotate all CMS and hosting credentials, and scan for unauthorized file modifications. Check your site against the full compromised domain list at the end of the detailed report.

  • If you pasted the "verification" command on a Mac: Rotate all passwords, revoke SSH keys, check ~/Library/LaunchAgents/ for unknown persistence, inspect /tmp/ for osalogging.zip, and consider a full macOS reinstall if sensitive accounts were active during the session.

  • For defenders: Block superstarlog[.]click and genomicsforge[.]com. Alert on osascript as a child of shell pipelines, PUT requests to /gate?buildtxd=, and eth_call requests to Polygon RPC endpoints originating from browser processes. Report to your national CERT.

 

Indicators of Compromise

Network

Indicator

Description

superstarlog[.]click

ClickFix overlay domain

superboomer[.]world

ClickFix overlay domain

holopebamiy[.]bond

ClickFix overlay domain

memshowblob[.]forum

ClickFix overlay domain

merabs[.]pro

ClickFix overlay domain

genomicsforge[.]com

Payload delivery and exfiltration C2

polygon.drpc.org, polygon-bor-rpc.publicnode.com, polygon.lava.build, polygon.rpc.subquery.network/public, polygon-public.nodies.app, polygon-pokt.nodies.app

Polygon RPC endpoints queried by injected script


File System

Indicator

Type

/tmp/osalogging.zip

Data staging file (deleted after upload)

 

Additional reading: macOS ClickFix Social Engineering Campaigns — LevelBlue SpiderLabs

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo