A new malware campaign targeting macOS users is using a clever twist on a known social engineering tactic to spread Atomic Stealer, a data-stealing malware.

Instead of relying on Terminal commands like earlier attacks, this version abuses Apple’s built-in Script Editor to execute malicious code more easily.

Script Editor is a trusted app that comes pre-installed on macOS and is typically used for writing and running scripts such as AppleScript and JavaScript for Automation. While it has been misused before, researchers say this latest approach is different because it removes the need for users to manually run commands in Terminal, making the attack smoother and less suspicious.

Previous versions of this attack method, often referred to as ClickFix, tricked users into copying and pasting commands into Terminal. Apple recently introduced warnings in macOS Tahoe 26.4 to alert users when such commands are being executed, but this new variation sidesteps that protection.

Security researchers at Jamf found that attackers are now using fake Apple-themed websites that pretend to offer instructions on how to free up storage space on a Mac. These pages appear legitimate and include step-by-step cleanup guides, but they secretly use a special applescript URL to open Script Editor with preloaded malicious code.

When users follow the instructions, they are prompted to open Script Editor, which then runs an obfuscated command that downloads and executes a script directly in memory. The process involves decoding hidden data, retrieving a secondary file, removing security restrictions, and running it on the system.

READ
Opera GX Fixes Critical Browser Flaw That Could Secretly Leak Your Gmail Address

The final payload is a Mach-O binary known as Atomic Stealer, also called AMOS, which has been widely used in similar campaigns over the past year. This malware is designed to collect a wide range of sensitive information, including data from the Keychain, files on the desktop, browser-stored passwords, cookies, autofill data, cryptocurrency wallets, saved credit card details, and system information.

In addition to stealing data, newer versions of AMOS have introduced a backdoor feature that allows attackers to maintain ongoing access to infected devices.


Buy ExpressVPN with PayPal or Credit Card

Researchers warn that prompts involving Script Editor should be treated with caution, especially when triggered by websites. Users are advised not to run scripts unless they fully understand their purpose and trust the source. For system troubleshooting, relying on official Apple documentation is considered safer, while community forums may carry some level of risk.

Advertisement