Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
Summary
Hide ▲
Show ▼
A new Atomic Stealer (AMOS) campaign is targeting macOS users through fake Apple-themed cleanup sites, creating a lower-friction path to malware installation and data theft. The lure uses an applescript:// link to open Script Editor with prefilled code, shifting the ClickFix-style trick away from a manual Terminal prompt. The chain runs an obfuscated `curl | zsh` command, drops `/tmp/helper`, and executes the final Mach-O payload. AMOS can steal Keychain data, browser passwords, cookies, credit cards, and crypto-wallet information, which makes the operation high-risk for Mac users.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
How related:
A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityHow related: A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.
About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS infostealer with persistent credential harvesting
Malware Activity
First: 31.03.2026 17:51
Last: 31.03.2026 17:51
Sources 1
About this happening:
The **Venom Stealer** infostealer now ships as **malware-as-a-service (MaaS)**, expanding access to a persistent credential-theft tool and raising risk for **Windows** users. It s...
Venom Stealer MaaS infostealer with persistent credential harvesting
Malware ActivityAbout this happening: The **Venom Stealer** infostealer now ships as **malware-as-a-service (MaaS)**, expanding access to a persistent credential-theft tool and raising risk for **Windows** users. It s...
Apple macOS Tahoe 26.4 Terminal warning blocks ClickFix-style pasted commands
Security Tool/Service
First: 30.03.2026 17:32
Last: 30.03.2026 17:32
Sources 1
About this happening:
**Apple** added a **Terminal** safety warning in **macOS Tahoe 26.4** that delays or blocks pasted commands when they look harmful, reducing the chance that users execute **ClickF...
Apple macOS Tahoe 26.4 Terminal warning blocks ClickFix-style pasted commands
Security Tool/ServiceAbout this happening: **Apple** added a **Terminal** safety warning in **macOS Tahoe 26.4** that delays or blocks pasted commands when they look harmful, reducing the chance that users execute **ClickF...
Timeline
-
08.04.2026 21:55 2 articles · 1mo ago
Jamf reports Atomic Stealer campaign against macOS users
Initial DisclosureResearchers at Jamf reported a new Atomic Stealer (AMOS) campaign targeting macOS users with fake Apple-themed cleanup sites that use the applescript:// URL scheme to open Script Editor with pre-filled code. The execution chain runs an obfuscated `curl | zsh` command, decodes a base64 + gzip payload, writes `/tmp/helper`, removes security attributes with `xattr -c`, and executes a Mach-O binary identified as Atomic Stealer (AMOS), which targets Keychain data, browser autofill data, passwords, cookies, stored credit cards, and system information.
Show sources
- New macOS stealer campaign uses Script Editor in ClickFix attack — www.bleepingcomputer.com — 08.04.2026 21:55
- Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings — www.infosecurity-magazine.com — 09.04.2026 14:20