← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix campaign uses fake macOS utilities lures to deliver infostealers
WHITE MarinaDiamandis 2026-05-11 Modified: 2026-05-11
95
IOCs
HIGH VOLUME
Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix‑style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites.
Indicators of Compromise (95)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 22d051c9cc458012b98e9bdca501759e MD5 of 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767 2026-05-11
FileHash-MD5 6bdc50f8fd33068331e16766fd5f3b63 MD5 of 241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05 2026-05-11
FileHash-MD5 8a43b2d626ad00289053ab73374bbc2b MD5 of 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae 2026-05-11
FileHash-MD5 8bfa2df2110c38dff2359a416ce14693 MD5 of 522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e 2026-05-11
FileHash-SHA1 12633ed0d82597140207602d76aefe1b81352d77 SHA1 of 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae 2026-05-11
FileHash-SHA1 286d5ca9275a8516cd0573d0750896f46090345c SHA1 of 241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05 2026-05-11
FileHash-SHA1 5144bf4e32c5832c426ad3da55d45f026f66bc95 SHA1 of 522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e 2026-05-11
FileHash-SHA1 a2421f7fd4be6b12382150033507af7aa8bf6241 SHA1 of 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767 2026-05-11
FileHash-SHA256 241a50befcf5c1aa6dab79664e2ba9cb373cc351cb9de9c3699fd2ecb2afab05 2026-05-11
FileHash-SHA256 522fdfaff44797b9180f36c654f77baf5cdeaab861bbf372ccfc1a5bd920d62e 2026-05-11
FileHash-SHA256 7ca42f1f23dbdc9427c9f135815bb74708a7494ea78df1fbc0fc348ba2a161ae 2026-05-11
FileHash-SHA256 9d2da07aa6e7db3fbc36b36f0cfd74f78d5815f5ba55d0f0405cdd668bd13767 2026-05-11
IPv4 138.124.93.32 CC=CH ASN=ASNone 2026-05-11
IPv4 168.100.9.122 CC=NL ASN=AS399629 bl networks 2026-05-11
IPv4 199.217.98.33 CC=US ASN=AS54455 madeit inc. 2026-05-11
IPv4 38.244.158.103 CC=US ASN=AS174 cogent communications 2026-05-11
IPv4 38.244.158.56 CC=US ASN=AS174 cogent communications 2026-05-11
IPv4 45.94.47.204 CC=NL ASN=AS60781 leaseweb netherlands b.v. 2026-05-11
IPv4 92.246.136.14 CC=RU ASN=AS8744 ooo mediaseti 2026-05-11
IPv4 95.85.251.177 CC=CZ ASN=AS43708 metronet s.r.o. 2026-05-11
URL http://lakhov.com/contact 2026-05-11
URL http://paralegalmustang.icu/script.sh 2026-05-11
URL https://avipstudios.com/contact 2026-05-11
URL https://cauterizespray.icu/script.sh 2026-05-11
URL https://enslaveculprit.digital/script.sh 2026-05-11
URL https://joytion.com/contact 2026-05-11
URL https://kvrnjr30.apexharvestor.digital 2026-05-11
URL https://laislivon.com/contact 2026-05-11
URL https://mpasvw.com/contact 2026-05-11
URL https://qjywvkbl.degassing-mould.digital 2026-05-11
URL https://resilientlimb.icu/script.sh 2026-05-11
URL https://round5on.digital/script.sh 2026-05-11
URL https://thickentributary.digital/script.sh 2026-05-11
URL https://www.iru.com/blog/atomic-stealer-amos-returns 2026-05-11
URL https://yygp4pdh.apexharvestor.digital 2026-05-11
URL https://zg5mkr7q.apexharvestor.digital 2026-05-11
domain 0x666.info 2026-05-11
domain aforvm.com 2026-05-11
domain arkypc.com 2026-05-11
domain avafex.com 2026-05-11
domain avipstudios.com 2026-05-11
domain bankafolder.com 2026-05-11
domain beltoxer.com 2026-05-11
domain benefasts-fhgs2.com 2026-05-11
domain bigbossbro777.com 2026-05-11
domain bintail.com 2026-05-11
domain biopranica.com 2026-05-11
domain boosterjuices.com 2026-05-11
domain boso6ka.com 2026-05-11
domain cauterizespray.icu 2026-05-11
domain cleanmymacos.org 2026-05-11
domain coco-fun2.com 2026-05-11
domain coco2-hram.com 2026-05-11
domain contatoplus.com 2026-05-11
domain dialerformac.com 2026-05-11
domain do2wers.com 2026-05-11
domain domenpozh.net 2026-05-11
domain doqeers.com 2026-05-11
domain dryvecar.com 2026-05-11
domain ejecen.com 2026-05-11
domain enslaveculprit.digital 2026-05-11
domain famiode.com 2026-05-11
domain fastfilenext.com 2026-05-11
domain filefastdata.com 2026-05-11
domain futampako.com 2026-05-11
domain haploadpin.com 2026-05-11
domain hello-brothers777.com 2026-05-11
domain hilofet.com 2026-05-11
domain hitkrul.com 2026-05-11
domain honestly.ink 2026-05-11
domain isgilan.com 2026-05-11
domain jihiz.com 2026-05-11
domain joeyapple.com 2026-05-11
domain joytion.com 2026-05-11
domain kayeart.com 2026-05-11
domain kcbps.com 2026-05-11
domain kofeynayagush.com 2026-05-11
domain korovkamu.com 2026-05-11
domain laislivon.com 2026-05-11
domain lakhov.com 2026-05-11
domain lbarticle.com 2026-05-11
domain malext.com 2026-05-11
domain mpasvw.com 2026-05-11
domain paralegalmustang.icu 2026-05-11
domain resilientlimb.icu 2026-05-11
domain round5on.digital 2026-05-11
domain thickentributary.digital 2026-05-11
hostname kvrnjr30.apexharvestor.digital 2026-05-11
hostname qjywvkbl.degassing-mould.digital 2026-05-11
hostname www.iru.com 2026-05-11
hostname yygp4pdh.apexharvestor.digital 2026-05-11
hostname zg5mkr7q.apexharvestor.digital 2026-05-11
domain malkim.com 2026-05-11
domain medoviypirog.com 2026-05-11
domain mentaorb.com 2026-05-11
References (1)
↗ https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/