Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
Summary
Hide ▲
Show ▼
A new Atomic Stealer (AMOS) campaign is targeting macOS users through fake Apple-themed cleanup sites, creating a lower-friction path to malware installation and data theft. The lure uses an applescript:// link to open Script Editor with prefilled code, shifting the ClickFix-style trick away from a manual Terminal prompt. The chain runs an obfuscated `curl | zsh` command, drops `/tmp/helper`, and executes the final Mach-O payload. AMOS can steal Keychain data, browser passwords, cookies, credit cards, and crypto-wallet information, which makes the operation high-risk for Mac users.
Related Happenings
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
H score30
First: 09.04.2026 14:20
Last: 09.04.2026 14:20
Sources 1
How related:
A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.
About this happening:
A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware ActivityHow related: A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.
About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...
Timeline
-
08.04.2026 21:55 2 articles · 3mo ago
Jamf reports Atomic Stealer campaign against macOS users
Initial DisclosureResearchers at Jamf reported a new Atomic Stealer (AMOS) campaign targeting macOS users with fake Apple-themed cleanup sites that use the applescript:// URL scheme to open Script Editor with pre-filled code. The execution chain runs an obfuscated `curl | zsh` command, decodes a base64 + gzip payload, writes `/tmp/helper`, removes security attributes with `xattr -c`, and executes a Mach-O binary identified as Atomic Stealer (AMOS), which targets Keychain data, browser autofill data, passwords, cookies, stored credit cards, and system information.
Show sources
- New macOS stealer campaign uses Script Editor in ClickFix attack — www.bleepingcomputer.com — 08.04.2026 21:55
- Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings — www.infosecurity-magazine.com — 09.04.2026 14:20