|
||
|
||
Microsoft recently published their in-depth analysis of a ClickFix campaign targeting macOS users with three infostealers—Macsync, Shub Stealer, and AMOS. The threat actors attempted to take advantage of users looking for helpful advice on macOS-related issues in blog sites and other user-driven content platforms by hosting their malicious commands in these sites. The researchers identified 140 network IoCs connected to the threat.
We extracted unique domains from the subdomain IoCs and weeded out those that belonged to legitimate entities and were currently inactive aided by the WhoisXML API MCP Server. That left us with 138 IoCs for our investigation comprising nine subdomains, 121 domains, and eight IP addresses.
Our DNS deep dive into the macOS ClickFix campaign led to these discoveries:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We kicked off our analysis by subjecting the nine subdomain IoCs to further scrutiny.
Our WhoisXML API MCP Server queries for the subdomain IoCs revealed that while a majority were under legitimate apex domains, all of them still warrant suspicion from users. Take a look at possible reasons for five examples below.
| SUBDOMAIN IoC | WXA MCP SERVER FINDING |
|---|---|
| apple-mac-fix-hidden[.]medium[.]com | While hosted on a legitimate publishing platform, the keyword-stuffed Apple or Mac fix or hidden name is typical of tech-support scams or SEO lures. |
| claudecodedoc[.]squarespace[.]com | While also hosted on a legitimate publishing platform, it possibly impersonates official Claude Code docs that reside in docs[.]claude[.]com, never a Squarespace subdomain. |
| kvrnjr30[.]apexharvestor[.]digital | It contains random strings on an unrecognized apex domain, which is a pattern associated with disposable or automated infrastructure. |
Next, we looked more closely into the 121 domain IoCs.
First, sample network traffic data from the IASC revealed that 11 unique client IP addresses under four distinct ASNs communicated with 14 of the domain IoCs via 5,375 DNS queries made between 24 March and 9 April 2026.

The results of our Typosquatting API queries, meanwhile, showed that eight of the domain IoCs appeared in seven groups with 3—33 members each between 10 December 2020 and 1 April 2026.

It is worth noting that two domain IoCs—rapidfilevault4[.]cyou and rapidfilevault5[.]sbs—appeared in the same typosquatting group with 11 members, all created on 18 February 2026. Their look-alike domains were rapidfilevault1[.]cfd, rapidfilevault1[.]cyou, rapidfilevault1[.]lat, rapidfilevault1[.]mom, rapidfilevault2[.]mom, rapidfilevault3[.]cyou, rapidfilevault4[.]xyz, rapidfilevault5[.]baby, and rapidfilevault5[.]xyz.
Eight of the domain IoCs also appeared in the First Watch Malicious Domains Data Feed 57–476 days before Microsoft dubbed them as IoCs on 6 May 2026. Take a look at more information for five examples below.
| DOMAIN IoC | FIRST WATCH DATE | NUMBER OF DAYS BEFORE THE REPORT DATE |
|---|---|---|
| tmcnex[.]com | 01/15/25 | 476 |
| quantumdataserver5[.]homes | 02/18/26 | 77 |
| rapidfilevault4[.]cyou | 02/18/26 | 77 |
| coco2-hram[.]com | 02/27/26 | 68 |
| res2erch-sl0ut[.]com | 03/02/26 | 65 |
We then queried the domain IoCs on WHOIS API and discovered that:

They were administered by 11 different registrars.

They were registered in five different countries.

Finally, we queried the domain IoCs on DNS Chronicle API and learned that together they recorded 12,131 historical domain-to-IP resolutions over time. Here are more details for five examples.
| DOMAIN IoC | NUMBER OF DOMAIN-TO-IP RESOLUTIONS | DATES SEEN |
|---|---|---|
| ptrei[.]com | 918 | 02/06/17–03/11/26 |
| aforvm[.]com | 608 | 02/05/17–05/20/26 |
| lakhov[.]com | 560 | 02/06/17–05/17/26 |
| jpbassin[.]com | 515 | 02/06/17–05/20/26 |
| biopranica[.]com | 431 | 06/17/18–05/09/26 |
While many of the domain IoCs seemed to have been reregistered recently given their first resolution dates, 73 were actually NRDs since they posted their first resolutions just this year.
After that, we dug deeper into the DNS footprint of the eight IP IoCs.
First, sample network traffic data from the IASC revealed that 119 unique IP addresses potentially owned by victims under seven distinct ASNs communicated with five of the IP IoCs between 9 December 2025 and 22 May 2026.

We then queried the IP IoCs on Bulk IP Geolocation Lookup and found out that:

While three did not have ISPs on record, the remaining five were administered by three different entities.

Finally, DNS Chronicle API queries for the IP IoCs revealed that four recorded 208 historical IP-to-domain resolutions over time. The IP IoC 199[.]217[.]98[.]33, for instance, posted 173 resolutions spanning 25 January and 22 May 2026.
After learning more about the network IoCs, we then searched for new artifacts.
First, we queried the domain IoCs on WHOIS History API. We discovered that 61 had 375 unique email addresses in their historical records. Further scrutiny revealed that 50 were public email addresses.
Reverse WHOIS API queries for the public email addresses allowed us to name 691 unique email-connected domains after the domain IoCs were filtered out.
The results of our Threat Intelligence API queries for the email-connected domains showed that 14 have already been weaponized for various cyber attacks. Take a look at more information for five examples below.
| MALICIOUS EMAIL-CONNECTED DOMAIN | ASSOCIATED THREAT | DATES SEEN |
|---|---|---|
| woupp[.]com | Malware distributionGeneric threat | 03/14/26–05/22/2603/15/26 |
| atcoconst[.]com | Malware distribution | 04/30/26–05/22/26 |
| cvols[.]com | Malware distribution | 05/08/26–05/22/26 |
| ejecen[.]com | Malware distribution | 03/26/26–05/22/26 |
| rvdownloads[.]com | Malware distribution | 03/24/26–05/22/26 |
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API