New Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users

06/06/2025

Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems.
The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum.
“macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation,” security researcher Koushik Pal said in a report published this week. “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”
It’s believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware’s source code.

The starting point of the attack is a web page that impersonates Spectrum (“panel-spectrum[.]net” or “spectrum-ticket[.]net”). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to “review the security” of their connection before proceeding further.
However, when the user clicks the “I am human” checkbox for evaluation, they are displayed an error message stating “CAPTCHA verification failed,” urging them to click a button to go ahead with an “Alternative Verification.”
Doing so causes a command to be copied to the users’ clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it’s substituted by a shell script that’s executed by launching the Terminal app on macOS.
The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer.
“Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure,” Pal said.
“The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction ‘Press & hold the Windows Key + R’ was displayed to both Windows and Mac users.”
The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year.
“Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access,” Darktrace said. “These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads.”

The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check and completes it in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue.
The end result of this effective social engineering method is that users end up compromising their own systems, effectively bypassing security controls.
In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data.
“ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses,” Darktrace said. “By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.”

Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks.
These fake pages are “pixel-perfect copies” of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages.
“Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible,” SlashNext’s Daniel Kelley said. “Attackers exploit this ‘verification fatigue,’ knowing that many users will comply with whatever steps are presented if it looks routine.”

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.
Source: thehackernews.com

QNAP NetBak Replicator Vulnerability Let Attackers Execute Unauthorized Code

QNAP has released a security advisory detailing a vulnerability in its NetBak Replicator utility that could allow local attackers to execute unauthorized code. The flaw, identified as CVE-2025-57714, has been rated as “Important” and affects specific versions of the backup and restore software. The company has already issued a patch and is urging users to update their systems to prevent … [Read More...]

How Windows Command-line Utility PsExec Can Be Abused To Execute Malicious Code

PsExec represents one of the most contradictory tools in the cybersecurity landscape, a legitimate system administration utility that has become a cornerstone of malicious lateral movement campaigns. Recent threat intelligence reports indicate that PsExec remains among the top five tools used in cyberattacks as of 2025, with ransomware groups like Medusa, LockBit, and Kasseika actively … [Read More...]

You'd think this was a real Stream Deck, but this genius DIYer 3D printed it and made it smart-home ready

Elgato's Stream Deck isn't meant for everyone, but it's one of the most widely adopted devices in recent years, especially among streamers, content creators, and productivity enthusiasts. Stream Deck's growing popularity also led to other players entering the space to compete with Corsair and giving users more choices. However, these aren't the only options, as it's pretty simple to build your own … [Read More...]

PoC Exploit Released for Remotely Exploitable Oracle E-Business Suite 0-Day Vulnerability

A critical zero-day vulnerability in Oracle E-Business Suite has emerged as a significant threat to enterprise environments, with proof-of-concept (PoC) exploit code now publicly available. CVE-2025-61882 presents a severe security risk, achieving a maximum CVSS 3.1 score of 9.8 and enabling remote code execution without authentication across multiple Oracle E-Business Suite … [Read More...]

Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files

Oct 06, 2025Ravie LakshmananEmail Security / Zero-Day A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military. Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient … [Read More...]

Oppo Reno 15 Series Key Specifications and India Launch Timeline Leaked

Oppo Reno 15 series, which is expected to comprise the Oppo Reno 15, Reno Pro, and Reno 15 Pro+, might debut in China in the second half of 2025. This means that its launch could be weeks away, or it might debut in a couple of months. A tipster has now revealed that the smartphone lineup has entered the testing phase in global markets, including India. The India launch timeline of the Oppo Reno 15 … [Read More...]

iQOO Neo 11 Key Specifications Leaked; Could Feature Snapdragon 8 Elite Chipset, 7,500mAh Battery

iQOO appears to be preparing for the launch of the iQOO Neo 11, which could arrive in China and eventually make its way to global markets. Although the Vivo sub-brand has yet to reveal any plans for a new Neo series smartphone, a tipster has leaked key specifications that point to a significant upgrade over the existing Neo 10 model. The purported iQOO Neo 11 is expected to feature a … [Read More...]

This cozy medieval city builder with 85% positive Steam reviews is still on discount

Well, that's another big Steam seasonal sale in the books. How did yours go? I didn't pick up a ton of titles this time around, but I still scored some nice discounts on games like The Roottrees Are Dead, so I'm still pleased. Source: xda-developers.com … [Read More...]

Moto G06 Power India Launch Date Announced; Key Features, Flipkart Availability Confirmed

Moto G06 Power was unveiled at IFA 2025 alongside the standard Moto G06 and Motorola Edge 60 Neo in September. The company has now announced that the Power variant will arrive in India soon. Alongside confirming the launch date, Motorola has revealed some key features of the upcoming handset. The Indian version is expected to share similarities with its global counterpart. It will be available in … [Read More...]

Who Will Be Apple’s Next CEO After Tim Cook? John Ternus Could Reportedly Take Charge

Apple's list of senior executives who have left the company is growing long. From former design chief Jony Ive and retail head Angela Ahrendts in 2019 to former Chief Financial Officer, Luca Maestri, and former Chief Operating Officer, Jeff Williams, in the last two years, the company has lost a significant part of its vanguard. While the Cupertino-based tech giant has been able to find … [Read More...]