Atomic Stealer (AMOS) macOS ClickFix Script Editor activity
Malware Activity
Summary
Hide ▲
Show ▼
A macOS malware campaign has shifted its ClickFix execution flow to Script Editor, helping Atomic Stealer (AMOS) avoid the usual Terminal warning path. The change matters because it preserves the same social-engineering lure while reducing the chance that victims see Apple's new command-safety prompt in macOS 26.4. The payload is an infostealer/backdoor designed to run after users paste malicious commands on their devices.
Related Happenings
ClickFix mitigation guidance for Windows and macOS
Defensive Guidance
H score34
First: 30.06.2026 15:00
Last: 30.06.2026 15:00
Sources 1
How related:
Meanwhile, network administrators can help prevent users from being able to fall victim to ClickFix attacks by restricting use of run dialog and clipboard, restricting execution of potentially malicious executables and blocking access to potentially malicious adverts and websites.
About this happening:
Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
ClickFix mitigation guidance for Windows and macOS
Defensive GuidanceHow related: Meanwhile, network administrators can help prevent users from being able to fall victim to ClickFix attacks by restricting use of run dialog and clipboard, restricting execution of potentially malicious executables and blocking access to potentially malicious adverts and websites.
About this happening: Organizations are being urged to harden defenses against **ClickFix** on **Windows** and **macOS**, reducing the chance that social-engineering lures can turn trusted dialogs into...
MacOS.Gaslight AI-analysis evasion malware
Malware Activity
H score22
First: 25.06.2026 19:23
Last: 25.06.2026 19:23
Sources 1
About this happening:
The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
MacOS.Gaslight AI-analysis evasion malware
Malware ActivityAbout this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware Activity
H score29
First: 25.06.2026 12:23
Last: 25.06.2026 12:23
Sources 1
About this happening:
A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
Gaslight macOS implant with Telegram C2 and prompt-injection payload
Malware ActivityAbout this happening: A **previously undocumented macOS implant** named **Gaslight** combines **Telegram bot API C2**, **persistent shell control**, and **file exfiltration** with a built-in **prompt-i...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Timeline
-
09.04.2026 14:20 3 articles · 3mo ago
Jamf details a ClickFix-delivered AMOS campaign using Script Editor
Technical Analysis UpdateResearchers at Jamf Threat Labs described a macOS-targeting ClickFix campaign that delivers Atomic Stealer (AMOS) through a browser-triggered workflow that opens Script Editor instead of the usual Terminal path. The lure presents a fake Apple disk-space cleanup page and steers users into pasting malicious commands, allowing the payload to execute on the victim’s Mac while avoiding the Terminal warning flow introduced in macOS 26.4.
Show sources
- Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings — www.infosecurity-magazine.com — 09.04.2026 14:20
- Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warnings — www.infosecurity-magazine.com — 09.04.2026 14:20
- ClickFix Now Cybercriminals' Favorite Malware Delivery Technique — www.infosecurity-magazine.com — 30.06.2026 15:00