Get free scan and check if your device is infected.
Remove it nowTo use full-featured product, you have to purchase a license for Combo Cleaner. Seven days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.
What is "ClickFix" malware?
ClickFix scams trick users into running malicious commands by pretending to solve issues like fixing website errors or performing other steps. Ultimately, victims are tricked into taking actions that cause computer infections. These scams can lead to various issues, including data theft and unauthorized remote access to computers.
ClickFix campaign targeting macOS users
One known scam campaign targeting macOS users is the fake Safeguard scam, which primarily targets cryptocurrency users. The scam operates in at least two ways. In the first case, users may come across Telegram channels urging them to "Tap to verify" to participate in token airdrops.
Clicking the provided button or link directs users to a fake Safeguard bot that pretends to verify their account. After the "verification" process, the bot claims that the verification has failed and provides manual steps to resolve the issue. If these steps are followed, malicious code is secretly copied to the clipboard.
In the second case, scammers use fake social media accounts impersonating well-known people and share links to Telegram groups in comment sections. They invite users to join for investment opportunities. Once users join these groups, they are tricked into following a fake verification process, similar to the first scenario.
When users are given step-by-step instructions, harmful code is copied to their clipboard. If they paste this code into the macOS Terminal or another system tool, it may appear normal, sometimes starting with a benign-looking term like "Telegram" masking its malicious intent. The code typically contains commands that download and run advanced malware, such as remote access Trojans.
These RATs allow hackers to steal sensitive information, such as wallet files, passwords, and private keys, and can even be used to steal cryptocurrency. It is important to mention that above are just a couple examples of schemes used to trick users into infecting computers.
Threat actors can also try to trick users into "fixing" problems, "creating" documents, "joining" calls, and taking other steps to lure users into unknowingly executing malware through malicious code pasted into their clipboard.
| Name | ClickFix malicious campaign |
| Threat Type | Malware |
| Detection Names (Malicious file) | Avast (MacOS:AMOS-BK [Trj]), AVG (MacOS:AMOS-BK [Trj]), ESET-NOD32 (A Variant Of OSX/PSW.Agent.CZ), Kaspersky (HEUR:Trojan-PSW.OSX.Amos.ah), Full List Of Detections (VirusTotal) |
| Related Domain | lasso-security[.]com |
| Detection Names (lasso-security[.]com) | alphaMountain.ai (Suspicious), CRDF (Malicious), Seclookup (Malicious), Full List Of Detections (VirusTotal) |
| Symptoms | A program that you do not recall installing suddenly appeared on your computer. A new application is performing computer scans and displays warning messages about 'found issues'. Asks for payment to eliminate the supposedly found errors. |
| Distribution Methods | Fake X (Twitter) accounts, Telegram, deceptive websites. |
| Possible Damage | Monetary loss, identity theft, data encryption, slow computer performance, and more. |
| Malware Removal (Windows) |
To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. Download Combo CleanerTo use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com. |
Conclusion
In conclusion, ClickFix scams are a growing threat, tricking users into running malicious commands. These scams have recently expanded to target macOS users. It is crucial for users to remain vigilant and avoid falling for these deceptive tactics to protect their computers, personal data, and digital assets.
How did malware infiltrate my computer?
Users may be tricked into clicking links from Telegram channels or fake social media accounts. These links lead to a fake bot or group, promising account verification or investment opportunities. Once users follow instructions, malicious code is secretly copied to their clipboard. If they paste this code into tools like macOS Terminal, it activates the malware.
How to avoid malware?
Be cautious with emails—carefully inspect them before opening links or attachments, especially if they are unsolicited, irrelevant, or from unknown senders. Avoid clicking on ads, buttons, links, or pop-ups found on dubious websites, and do not permit sites of this kind to send you notifications.
Always download software from official websites or trusted app stores. Avoid using P2P networks, questionable websites, or downloading pirated software and illegal tools. Additionally, keep your operating system and applications up to date, and regularly scan your device with a trusted security tool to detect and prevent potential threats.
If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate all threats.
Appearance of the ClickFix malware delivery scheme where a malicious code is copied into the clipboard (GIF):
Other examples of ClickFix-type websites targeting MacOS users:
Screenshot of an X post promoting ClickFix-type website variant:
Update March 13, 2026 - Sophos researchers have documented three ClickFix campaigns targeting Mac users between November 2025 and February 2026, using new lures including fake AI tools (an "OpenAI Atlas" browser and ChatGPT-themed pages), fraudulent Google search ads, and fake GitHub installation guides. A February 2026 campaign additionally used a page impersonating an Apple website to trick users.
The MacSync infostealer delivered in these campaigns has evolved significantly. Beyond stealing cryptocurrency wallet data, the updated variant also targets saved browser data, macOS Keychain passwords, and SSH and cloud service credentials. It runs silently as a background process to maintain persistence after the initial infection.
Active infections from the February 2026 campaign were identified in Belgium, India, and parts of North and South America. (source: sophos.com).
Update March 26, 2026 - ANY.RUN researchers have identified a ClickFix campaign specifically targeting users of AI developer and productivity tools, including Claude Code, Grok, Gemini CLI, Cursor, n8n, and NotebookLM. Victims are directed to a fake Claude Code documentation page through Google ads, where a ClickFix prompt instructs them to run a Terminal command that installs AMOS Stealer.
This variant also installs a persistent backdoor after the initial data theft, giving attackers ongoing remote access and full control over the infected Mac long after the first infection. (source: @anyrun_app).
Screenshot of a fake Claude website (claude-download.squarespace[.]com) hosting ClickFix:
Update May 7, 2026 - Microsoft researchers have documented further evolution of ClickFix campaigns targeting Mac users. In addition to standalone malicious domains, threat actors are now hosting fake macOS disk-cleanup and storage-management instruction pages on legitimate platforms — including Squarespace, Medium, and Craft (e.g., mac-storage-guide.squarespace[.]com, macos-disk-space.medium[.]com) — to lend the lures more credibility. When users paste the provided commands into Terminal, macOS's Gatekeeper security checks are bypassed, allowing the malware to execute without triggering standard app-safety warnings.
Three distinct campaign variants were observed, delivering infostealers such as MacSync, SHub, and AMOS, which harvest saved browser passwords, macOS Keychain secrets, iCloud data, cryptocurrency wallet files, and personal documents. Some variants go further by replacing legitimate cryptocurrency apps — including Ledger Live, Trezor Suite, and Exodus — with trojanized versions that silently steal funds. Apple has responded by adding a paste-blocking warning in macOS 26.4 that alerts users when pasting Terminal commands could be harmful. (source: microsoft.com).
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
DOWNLOAD Combo CleanerBy downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.
Quick menu:
- What is "ClickFix"?
- STEP 1. Remove malware-related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
DOWNLOAD remover for malware infections
Combo Cleaner checks if your computer is infected with malware. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
What is a "ClickFix" scam?
A "ClickFix" scam is a type of fraudulent scheme that tricks users into running malicious commands on their devices.
What is the purpose of a "ClickFix" scam?
The purpose of a "ClickFix" scam is to trick users into running malicious code on their devices, which leads to malware infections. The malware can then steal sensitive information, such as passwords, wallet files, and private keys, or allow hackers to remotely access the system.
Why do I encounter scam websites?
Scam websites are spread through fake emails, bogus social media profiles, misleading advertisements, pop-ups, and suspicious notifications. Users can also be tricked by ads from adware or directed to scam sites via rogue ad networks, which are often found on torrent sites or illegal streaming platforms.
Will Combo Cleaner protect me from scam websites?
Combo Cleaner scans every website you visit, detecting malicious ones. It also identifies sites that deliver scams, alerting you immediately and blocking access.
Share:
Facebook
X.com
LinkedIn
Copy Link
Tomas Meskauskas
Expert security researcher, professional malware analyst
I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion