Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of AMOS credential theft. The operation expands the attack surface by turning a browser prompt into a malware delivery chain that can steal passwords, wallets, and other user data.

Related Happenings

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Open Happening

SilabRAT session-hijacking crypto-draining malware activity

Malware Activity
H score24 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: The **SilabRAT** **MaaS** operation is now offering a session-hijacking **remote access trojan** that can drain cryptocurrency and bypass **password** and **MFA** checks, expandin...

Open Happening

DriveSurge as an initial access broker on a pay-per-install model

Threat Actor Meta
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

About this happening: DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...

Open Happening

DriveSurge large-scale website-hijack malware distribution campaign

Campaign
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

About this happening: The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
H score23 First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

Timeline

  1. 23.06.2026 21:30 2 articles · 2h ago

    Fake CAPTCHA Terminal commands deliver Atomic macOS Stealer on Mac devices

    Initial Disclosure

    Palo Alto Networks Unit 42 identified a macOS ClickFix campaign that uses fake CAPTCHA pages and Terminal commands to quietly download, mount, and launch malicious DMG payloads on Mac devices. The campaign delivers Atomic macOS Stealer (AMOS), which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents, and it uses a download-and-launch chain that hides the DMG mount and then uploads harvested data to attacker infrastructure.

    Show sources
    Open in new tab