- Researcher finds Based Apparel site offering macOS ClickFix infostealer disguised as Cloudflare CAPTCHA verification
- Victims were tricked into pasting malicious Applescript commands into Terminal, and VirusTotal flagged the malware as a basic trojan/data stealer.
- The site, built on WordPress/WooCommerce and Ghost CMS, was taken offline following the disclosure, linking the incident to a broader exploitation of Ghost CMS in ongoing ClickFix campaigns.
Based Apparel, an American online clothing company that sells products with patriotic, conservative, and pro-free speech themes, was apparently compromised and used to distribute malware via the ClickFix technique, but only macOS users were targeted.
A researcher with the alias ‘debbie’ revealed her findings to PC Magazinebefore sharing video evidence about X, after saying he read online about FBI Director Kash Patel’s co-founding of Based Apparel and decided to take a closer look.
“The ClickFix attack appeared while I was browsing,” Debbie said in an email. “I took a quick look and it’s just classic data theft, wrapped twice in base64 (binary-to-text encoding). Interesting that it’s written in Applescript, though.”
Links to Ghost CMS?
Victims were asked to verify that they were human, on a CAPTCHA page that apparently came from Cloudflare. This spoofed Cloudflare site will tell the victim that “unusual web traffic” was detected and ask them to confirm they are human by opening Terminal and pasting a shared command into the page.
Running the information stealer through VirusTotal, PC Magazine found that 27 antivirus engines had flagged it as a Trojan and information stealer, meaning it is basic malware rather than a custom solution for targeted attacks.
Based Apparel has not yet commented, but their website is offline for the moment. At press time, the site was displaying a “We’ll be right back” message that said the company is “making improvements.”
The website is apparently built using two content management systems: WordPress with WooCommerce for the store functionality and Ghost CMS for the standalone news subdomain.
Today we reported that a critical vulnerability in Ghost CMS, patched in February 2026, was also being abused against more than 700 domains to launch ClickFix attacks.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
