A malware campaign which targets macOS systems, distributed using a ClickFix attack, has evolved to exploit Script Editor as the execution vector rather than the typical Terminal-based point of execution.<\/p>\n
Identified by researchers at Jamf Threat Labs, the campaign is designed to deliver an Atomic Stealer<\/a> (AMOS), an infostealer<\/a> and backdoor which is specifically designed to target MacOS operating systems.<\/p>\n The campaign appears to be a direct response to an Apple OS update which now warns users that they may be unwittingly helping cybercriminals install malware via a ClickFix<\/a> attack.<\/p>\n ClickFix, is social engineering<\/a> technique which uses dialogue boxes that contain fake instructions or verification messages, to trick people into copying, pasting and running malicious code on their own device.<\/p>\n Typically, when ClickFix attacks target MacOS, they prompt the user to enter commands in the macOS Terminal under the guise of troubleshooting or maintenance.<\/p>\n Instead, this new AMOS variant uses a browser-triggered workflow to launch Script Editor, which is where the user is encouraged to enter the commands.<\/p>\n Apple attempted to counter ClickFix attacks in the macOS 26.4 update<\/a> by introducing a security feature that scans commands pasted into Terminal before they're executed and warns the user that the command could be malicious.<\/p>\n The Atomic Stealer campaign has shifted to exploit Script Editor because the attackers are attempting to get around potential victims seeing these warnings in the Terminal.<\/p>\n “It's a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another,” Thijs Xhaflaire, senior threat and detections researcher at Jamf Threat Labs said in a blog post, published on April 8<\/a>.<\/p>\n The Atomic Stealer campaigned detailed by Jamf presented potential victims with a full window in their browser which claimed to be from Apple, with advice on how to reclaim disk space on a Mac.<\/p>\n The method used to lure potential victims to these sites is not detailed, but typically similar ClickFix campaigns have relied on malicious links or malvertising<\/a>.<\/p>\n The user is asked to follow step-by-step instructions to supposedly reclaim the disk space on their Mac, which leads them to open Script Editor and paste in what are in fact malicious commands which execute the malware payload and infect the victim’s system.<\/p>\n “By shifting execution from Terminal to Script Editor, the attacker preserves a familiar delivery mechanism while quietly changing how and where the command actually runs. It's a small adjustment with a meaningful impact,” said Xhaflaire.<\/p>\nA New Method to Avoid MacOS Security Warnings<\/strong><\/h2>\n