Emerging Atomic macOS Stealer Campaign Leverages ClickFix Exploit to Target Apple Users

Cybersecurity researchers have identified a significant malware campaign utilizing the ClickFix social engineering technique to deceive users into downloading an information-stealing malware identified as Atomic macOS Stealer (AMOS) on Apple macOS systems.

The campaign reportedly employs typosquatting tactics, mimicking domains associated with the U.S.-based telecom provider Spectrum.

According to security researcher Koushik Pal, users of macOS are targeted with a malicious shell script designed to compromise system passwords and subsequently download an AMOS variant for further exploitation. The script utilizes native macOS commands to extract credentials, circumvent security protocols, and execute malicious binaries.

The presence of Russian language comments in the malware’s source code suggests that this activity is orchestrated by Russian-speaking cybercriminals.

The initial stage of the attack is facilitated through web pages acting as impostors for Spectrum, such as “panel-spectrum[.]net” or “spectrum-ticket[.]net.” Users visiting these pages encounter messages prompting them to complete an hCaptcha verification to “review the security” of their connection prior to proceeding.

When a user clicks the “I am human” checkbox, they receive an error message indicating “CAPTCHA verification failed,” compelling them to select a button for “Alternative Verification.”

This action prompts a command to be copied to the user’s clipboard, with tailored instructions based on their operating system. Windows users are directed to run a PowerShell command, while macOS users are instead routed to execute a shell script via the Terminal application.

The shell script requests the user to input their system password and downloads a subsequent payload, specifically a variant known as Atomic Stealer.

Pal observed that the disorganization in the delivery sites, such as conflicting instructions across different platforms, suggests a hastily constructed infrastructure. The delivery pages exhibited flaws in programming logic and frontend implementation, such as presenting a PowerShell command to Linux user agents and displaying directions meant for Windows users to macOS and vice versa.

This revelation comes amid a noticeable increase in campaigns leveraging the ClickFix tactic for disseminating various malware families over the past year.

According to Darktrace, attackers engaged in these targeted operations frequently utilize similar techniques, tools, and procedures (TTPs) to achieve initial access. These methods include spear phishing, drive-by compromises, and exploiting trust in familiar online platforms to deliver malicious payloads.

The links distributed through these schemes redirect users to deceptive URLs presenting a counterfeit CAPTCHA verification check, thereby leading users to execute harmful commands under the pretext of resolving a non-existent issue.

This effective social engineering approach results in users inadvertently compromising their own systems, thereby bypassing established security measures.

An incident analyzed by Darktrace in April 2025 revealed that unknown threat actors used ClickFix as an avenue to download unspecified payloads, enabling them to infiltrate target environments, conduct lateral movements, and ultimately exfiltrate sensitive data.

Darktrace indicated that ClickFix baiting is a prevalent tactic wherein threat actors exploit human error to navigate around security defenses, taking advantage of unsuspecting users who perform seemingly innocuous tasks that ultimately grant the attackers initial system access.

Additional ClickFix campaigns have utilized counterfeit versions of popular CAPTCHA services, such as Google reCAPTCHA and Cloudflare Turnstile, to facilitate malware delivery under the guise of routine security procedures.

These fraudulent pages often serve as precise replicas of legitimate counterparts, sometimes embedded into real but compromised websites to mislead users. Malware payloads distributed through bogus Turnstile pages include various stealers and remote access trojans like Lumma, StealC, and NetSupport RAT.

Experts from SlashNext note the prevalence of verification fatigue among modern internet users, who are often inundated with spam checks, CAPTCHAs, and security prompts. Many users are conditioned to expedite these processes, providing attackers with a valuable opportunity to execute their strategies effectively.