A new macOS stealer campaign uses Script Editor, a built-in macOS application, in a sophisticated ClickFix attack, posing a significant threat to user data. This campaign, observed by security researchers at Jamf, leverages fake Apple-themed websites to trick users into executing malicious code, ultimately delivering the notorious Atomic Stealer malware.
Previously, ClickFix attacks primarily relied on coercing users to interact with Terminal commands. However, this latest iteration ingeniously abuses Script Editor, a trusted component of macOS, to bypass some of Apple’s recent protections. The shift to Script Editor means victims are prompted to open an application they inherently trust, making the social engineering tactic even more potent. Users are presented with seemingly legitimate system cleanup instructions on fake support pages, which then utilize the applescript:// URL scheme to launch Script Editor with pre-filled, obfuscated executable code.
Understanding the macOS Stealer Campaign
The malicious code, once executed through Script Editor, runs an obfuscated ‘curl | zsh’ command. This command is designed to download and execute a script directly into system memory, a technique often used to evade detection. Following this, it decodes a base64 + gzip payload, downloads a binary (/tmp/helper), and then removes security attributes via ‘xattr -c’ before making it executable and running it. This multi-stage process is highly effective at delivering the final payload, the Atomic Stealer (AMOS).
“This new ClickFix variant highlights the evolving sophistication of cyber threats targeting macOS users, exploiting trusted system applications for malicious ends.”
Atomic Stealer is a prevalent malware-as-a-service known for its broad data exfiltration capabilities. It targets a wide array of sensitive information, including credentials from Keychain, desktop files, browser cryptocurrency wallet extensions, autofill data, passwords, cookies, and stored credit card details. Furthermore, AMOS has been updated to include a backdoor component, granting attackers persistent access to compromised systems, escalating the risk significantly. For more insights into evolving cyber threats, explore our related Tech news.
Protecting Against Advanced macOS Threats
Given the cunning nature of this macOS stealer campaign, vigilance is paramount for all Mac users. The primary defense lies in extreme caution when encountering prompts from Script Editor, especially if they originate from untrusted or unverified sources. Users should never run scripts unless they fully comprehend their function and have absolute trust in the source providing them. Relying solely on official Apple documentation for troubleshooting and system guides is strongly recommended to avoid falling victim to these elaborate phishing schemes.
The continuous evolution of malware delivery methods, such as this Script Editor abuse in ClickFix attacks, underscores the need for robust security practices. Regularly updating macOS, employing reputable security software, and exercising a critical eye on all digital interactions are essential steps to safeguard personal and financial data against such sophisticated threats. Stay informed and protect your digital assets.




