Find notable cyber news and cases, enriched with sources, timelines, and signals.

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 2 articles

Summary

Hide ▲

A macOS malware campaign has shifted its ClickFix execution flow to Script Editor, helping Atomic Stealer (AMOS) avoid the usual Terminal warning path. The change matters because it preserves the same social-engineering lure while reducing the chance that victims see Apple's new command-safety prompt in macOS 26.4. The payload is an infostealer/backdoor designed to run after users paste malicious commands on their devices.

Related Happenings

ClickFix mitigation guidance for Windows and macOS

Defensive Guidance
H score34 First: 30.06.2026 15:00 Last: 30.06.2026 15:00 Sources 1

How related: Meanwhile, network administrators can help prevent users from being able to fall victim to ClickFix attacks by restricting use of run dialog and clipboard, restricting execution of potentially malicious executables and blocking access to potentially malicious adverts and websites.

About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

Gaslight macOS implant with Telegram C2 and prompt-injection payload

Malware Activity
H score29 First: 25.06.2026 12:23 Last: 25.06.2026 12:23 Sources 1

About this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Timeline

  1. 09.04.2026 14:20 3 articles · 3mo ago

    Jamf details a ClickFix-delivered AMOS campaign using Script Editor

    Technical Analysis Update

    Researchers at Jamf Threat Labs described a macOS-targeting ClickFix campaign that delivers Atomic Stealer (AMOS) through a browser-triggered workflow that opens Script Editor instead of the usual Terminal path. The lure presents a fake Apple disk-space cleanup page and steers users into pasting malicious commands, allowing the payload to execute on the victim’s Mac while avoiding the Terminal warning flow introduced in macOS 26.4.

    Show sources