Find notable cyber news and cases, enriched with sources, timelines, and signals.

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
First reported
Last updated
Happening score
H score 42
2 unique sources, 2 articles

Summary

Hide ▲

A new Atomic Stealer (AMOS) campaign is targeting macOS users through fake Apple-themed cleanup sites, creating a lower-friction path to malware installation and data theft. The lure uses an applescript:// link to open Script Editor with prefilled code, shifting the ClickFix-style trick away from a manual Terminal prompt. The chain runs an obfuscated `curl | zsh` command, drops `/tmp/helper`, and executes the final Mach-O payload. AMOS can steal Keychain data, browser passwords, cookies, credit cards, and crypto-wallet information, which makes the operation high-risk for Mac users.

Related Happenings

MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel

Malware Activity
H score30 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
H score30 First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

How related: A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Timeline

  1. 08.04.2026 21:55 2 articles · 3mo ago

    Jamf reports Atomic Stealer campaign against macOS users

    Initial Disclosure

    Researchers at Jamf reported a new Atomic Stealer (AMOS) campaign targeting macOS users with fake Apple-themed cleanup sites that use the applescript:// URL scheme to open Script Editor with pre-filled code. The execution chain runs an obfuscated `curl | zsh` command, decodes a base64 + gzip payload, writes `/tmp/helper`, removes security attributes with `xattr -c`, and executes a Mach-O binary identified as Atomic Stealer (AMOS), which targets Keychain data, browser autofill data, passwords, cookies, stored credit cards, and system information.

    Show sources