Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

A macOS malware campaign has shifted its ClickFix execution flow to Script Editor, helping Atomic Stealer (AMOS) avoid the usual Terminal warning path. The change matters because it preserves the same social-engineering lure while reducing the chance that victims see Apple's new command-safety prompt in macOS 26.4. The payload is an infostealer/backdoor designed to run after users paste malicious commands on their devices.

Related Happenings

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

MacOS living-off-the-land analysis exposing native-feature abuse

Technical Analysis
First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Native macOS features are now being repurposed for **code execution**, **lateral movement**, and **evasion**, widening detection gaps across enterprise Apple fleets. The analysis...

Open Happening

MacOS LOTL detection and hardening guidance against native-tool abuse

Defensive Guidance
First: 22.04.2026 19:30 Last: 22.04.2026 19:30 Sources 1

About this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...

Open Happening

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
First: 08.04.2026 21:55 Last: 08.04.2026 21:55 Sources 1

How related: The Atomic Stealer campaign has shifted to exploit Script Editor because the attackers are attempting to get around potential victims seeing these warnings in the Terminal.

About this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Timeline

  1. 09.04.2026 14:20 2 articles · 1mo ago

    Jamf details a ClickFix-delivered AMOS campaign using Script Editor

    Technical Analysis Update

    Researchers at Jamf Threat Labs described a macOS-targeting ClickFix campaign that delivers Atomic Stealer (AMOS) through a browser-triggered workflow that opens Script Editor instead of the usual Terminal path. The lure presents a fake Apple disk-space cleanup page and steers users into pasting malicious commands, allowing the payload to execute on the victim’s Mac while avoiding the Terminal warning flow introduced in macOS 26.4.

    Show sources
    Open in new tab