Home / Industry

macOS ClickFix Campaign Delivers AMOS and Other Infostealers: A DNS Deep Dive

Microsoft recently published their in-depth analysis of a ClickFix campaign targeting macOS users with three infostealers—Macsync, Shub Stealer, and AMOS. The threat actors attempted to take advantage of users looking for helpful advice on macOS-related issues in blog sites and other user-driven content platforms by hosting their malicious commands in these sites. The researchers identified 140 network IoCs connected to the threat.

We extracted unique domains from the subdomain IoCs and weeded out those that belonged to legitimate entities and were currently inactive aided by the WhoisXML API MCP Server. That left us with 138 IoCs for our investigation comprising nine subdomains, 121 domains, and eight IP addresses.

Our DNS deep dive into the macOS ClickFix campaign led to these discoveries:

  • 11 unique client IP addresses that communicated with 14 of the domain IoCs
  • Eight domain IoCs that appeared in seven typosquatting groups with 3–33 members each
  • Eight domain IoCs that were likely registered with malicious intent
  • 119 unique IP addresses potentially owned by victims that communicated with five of the IP IoCs
  • 691 email-connected domains, 14 of which were confirmed malicious
  • 141 additional IP addresses, all of which were confirmed malicious
  • Seven IP-connected domains, four of which were confirmed malicious
  • 322 string-connected domains, 29 of which were confirmed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Subdomain IoCs in the DNS Spotlight

We kicked off our analysis by subjecting the nine subdomain IoCs to further scrutiny.

Our WhoisXML API MCP Server queries for the subdomain IoCs revealed that while a majority were under legitimate apex domains, all of them still warrant suspicion from users. Take a look at possible reasons for five examples below.

SUBDOMAIN IoCWXA MCP SERVER FINDING
apple-mac-fix-hidden[.]medium[.]comWhile hosted on a legitimate publishing platform, the keyword-stuffed Apple or Mac fix or hidden name is typical of tech-support scams or SEO lures.
claudecodedoc[.]squarespace[.]comWhile also hosted on a legitimate publishing platform, it possibly impersonates official Claude Code docs that reside in docs[.]claude[.]com, never a Squarespace subdomain.
kvrnjr30[.]apexharvestor[.]digitalIt contains random strings on an unrecognized apex domain, which is a pattern associated with disposable or automated infrastructure.

Domain IoCs Demystified

Next, we looked more closely into the 121 domain IoCs.

First, sample network traffic data from the IASC revealed that 11 unique client IP addresses under four distinct ASNs communicated with 14 of the domain IoCs via 5,375 DNS queries made between 24 March and 9 April 2026.

The results of our Typosquatting API queries, meanwhile, showed that eight of the domain IoCs appeared in seven groups with 3—33 members each between 10 December 2020 and 1 April 2026.

It is worth noting that two domain IoCs—rapidfilevault4[.]cyou and rapidfilevault5[.]sbs—appeared in the same typosquatting group with 11 members, all created on 18 February 2026. Their look-alike domains were rapidfilevault1[.]cfd, rapidfilevault1[.]cyou, rapidfilevault1[.]lat, rapidfilevault1[.]mom, rapidfilevault2[.]mom, rapidfilevault3[.]cyou, rapidfilevault4[.]xyz, rapidfilevault5[.]baby, and rapidfilevault5[.]xyz.

Eight of the domain IoCs also appeared in the First Watch Malicious Domains Data Feed 57–476 days before Microsoft dubbed them as IoCs on 6 May 2026. Take a look at more information for five examples below.

DOMAIN IoCFIRST WATCH DATENUMBER OF DAYS BEFORE THE REPORT DATE
tmcnex[.]com01/15/25476
quantumdataserver5[.]homes02/18/2677
rapidfilevault4[.]cyou02/18/2677
coco2-hram[.]com02/27/2668
res2erch-sl0ut[.]com03/02/2665

We then queried the domain IoCs on WHOIS API and discovered that:

  • They were created between 18 July 2025 and 24 April 2026, seemingly indicating the threat actors’ penchant for using NRDs in their campaigns.
  • They were administered by 11 different registrars.

  • They were registered in five different countries.

Finally, we queried the domain IoCs on DNS Chronicle API and learned that together they recorded 12,131 historical domain-to-IP resolutions over time. Here are more details for five examples.

DOMAIN IoCNUMBER OF DOMAIN-TO-IP RESOLUTIONSDATES SEEN
ptrei[.]com91802/06/17–03/11/26
aforvm[.]com60802/05/17–05/20/26
lakhov[.]com56002/06/17–05/17/26
jpbassin[.]com51502/06/17–05/20/26
biopranica[.]com43106/17/18–05/09/26

While many of the domain IoCs seemed to have been reregistered recently given their first resolution dates, 73 were actually NRDs since they posted their first resolutions just this year.

IP IoCs Investigated Further

After that, we dug deeper into the DNS footprint of the eight IP IoCs.

First, sample network traffic data from the IASC revealed that 119 unique IP addresses potentially owned by victims under seven distinct ASNs communicated with five of the IP IoCs between 9 December 2025 and 22 May 2026.

We then queried the IP IoCs on Bulk IP Geolocation Lookup and found out that:

  • They were geolocated in three different countries, none of which were consistent with any of the registrant countries identified earlier.
  • While three did not have ISPs on record, the remaining five were administered by three different entities.

Finally, DNS Chronicle API queries for the IP IoCs revealed that four recorded 208 historical IP-to-domain resolutions over time. The IP IoC 199[.]217[.]98[.]33, for instance, posted 173 resolutions spanning 25 January and 22 May 2026.

Hunting for New Artifacts

After learning more about the network IoCs, we then searched for new artifacts.

First, we queried the domain IoCs on WHOIS History API. We discovered that 61 had 375 unique email addresses in their historical records. Further scrutiny revealed that 50 were public email addresses.

Reverse WHOIS API queries for the public email addresses allowed us to name 691 unique email-connected domains after the domain IoCs were filtered out.

The results of our Threat Intelligence API queries for the email-connected domains showed that 14 have already been weaponized for various cyber attacks. Take a look at more information for five examples below.

MALICIOUS EMAIL-CONNECTED DOMAINASSOCIATED THREATDATES SEEN
woupp[.]comMalware distributionGeneric threat03/14/26–05/22/2603/15/26
atcoconst[.]comMalware distribution04/30/26–05/22/26
cvols[.]comMalware distribution05/08/26–05/22/26
ejecen[.]comMalware distribution03/26/26–05/22/26
rvdownloads[.]comMalware distribution03/24/26–05/22/26

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

DNS Security

Sponsored byWhoisXML API