A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.
Identified by researchers at Jamf Threat Labs, the campaign is designed to deliver an Atomic Stealer (AMOS), an infostealer and backdoor which is specifically designed to target MacOS operating systems.
The campaign appears to be a direct response to an Apple OS update which now warns users that they may be unwittingly helping cybercriminals install malware via a ClickFix attack.
ClickFix, is social engineering technique which uses dialogue boxes that contain fake instructions or verification messages, to trick people into copying, pasting and running malicious code on their own device.
Typically, when ClickFix attacks target MacOS, they prompt the user to enter commands in the macOS Terminal under the guise of troubleshooting or maintenance.
Instead, this new AMOS variant uses a browser-triggered workflow to launch Script Editor, which is where the user is encouraged to enter the commands.
A New Method to Avoid MacOS Security Warnings
Apple attempted to counter ClickFix attacks in the macOS 26.4 update by introducing a security feature that scans commands pasted into Terminal before they’re executed and warns the user that the command could be malicious.
The Atomic Stealer campaign has shifted to exploit Script Editor because the attackers are attempting to get around potential victims seeing these warnings in the Terminal.
“It’s a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another,” Thijs Xhaflaire, senior threat and detections researcher at Jamf Threat Labs said in a blog post, published on April 8.
The Atomic Stealer campaigned detailed by Jamf presented potential victims with a full window in their browser which claimed to be from Apple, with advice on how to reclaim disk space on a Mac.
The method used to lure potential victims to these sites is not detailed, but typically similar ClickFix campaigns have relied on malicious links or malvertising.
The user is asked to follow step-by-step instructions to supposedly reclaim the disk space on their Mac, which leads them to open Script Editor and paste in what are in fact malicious commands which execute the malware payload and infect the victim’s system.
“By shifting execution from Terminal to Script Editor, the attacker preserves a familiar delivery mechanism while quietly changing how and where the command actually runs. It’s a small adjustment with a meaningful impact,” said Xhaflaire.
ClickFix has become one of the most popular vectors for cybercriminals to distribute malware and phishing arracks.
Actions which network administrators can take to help prevent users from falling victim include restricting use of run dialog and clipboard, restricting execution of potentially malicious executables and blocking access to potentially malicious adverts and websites.
