A new macOS ClickFix attack is targeting Apple users with a stealthy malware delivery technique that silently mounts malicious disk image files and installs an information-stealing payload. Security researchers warn that the campaign uses social engineering instead of software exploits, making user awareness a critical defense.
The attack delivers Atomic macOS Stealer (AMOS), one of the most active information-stealing malware families targeting Apple devices. Once installed, the malware can collect credentials, cryptocurrency wallet data, personal files, and other sensitive information.
Attack Uses Terminal Commands to Mount Malicious DMGs
Researchers discovered that the campaign relies on the ClickFix social engineering technique. Victims are tricked into executing commands in Terminal after being presented with fake verification prompts or troubleshooting instructions. Unlike traditional malware downloads, the attack convinces users to initiate the infection themselves.
After the command runs, the script silently downloads a malicious DMG file, mounts it in the background, and launches the malware without requiring additional user interaction. This approach helps attackers avoid some security warnings that might otherwise raise suspicion.
The technique represents another evolution of ClickFix campaigns, which continue to adapt as security vendors introduce new protections.
Atomic Stealer Remains the Final Payload
The attackers use the campaign to distribute Atomic macOS Stealer, commonly known as AMOS. The malware specializes in harvesting sensitive information stored on Apple devices.
Researchers say the malware can collect:
- Browser usernames and passwords
- Cryptocurrency wallet information
- Apple Keychain data
- Messaging application content
- User documents and stored files
In some cases, the malware can also replace legitimate cryptocurrency-related applications with malicious versions designed to steal digital assets.
Because cryptocurrency wallets often contain significant financial value, macOS users involved in crypto trading remain a frequent target for these campaigns.
ClickFix Continues to Evolve on macOS
ClickFix attacks originally gained popularity on Windows systems. Over the past year, however, threat actors have increasingly adapted the technique for Apple devices. Researchers have observed multiple macOS-focused campaigns that use fake utility tools, troubleshooting guides, AI-related software, and technical support content as infection lures.
Security vendors have also documented several recent variations. Some campaigns abused Script Editor instead of Terminal, while others relied on fake Apple-themed support pages that encouraged users to execute malicious actions.
The latest campaign shows that attackers continue refining their methods to bypass new security protections and reduce visible warning signs.
Apple Introduced New Defenses
Apple recently added security protections designed to make ClickFix attacks less effective. Newer versions of macOS display warnings when users attempt to paste potentially dangerous commands into Terminal. The feature aims to alert users before they unknowingly execute malicious instructions.
However, researchers note that attackers constantly adjust their techniques. Some recent campaigns have already explored alternative execution methods that avoid direct Terminal interaction.
As a result, technical protections alone may not stop every attack.
Conclusion
The macOS ClickFix attack highlights how social engineering remains one of the most effective methods for delivering malware. By convincing users to execute seemingly harmless commands, attackers can silently download and launch Atomic Stealer without exploiting software vulnerabilities. As ClickFix campaigns continue to evolve, Mac users should remain cautious when following online troubleshooting instructions and avoid running Terminal commands obtained from untrusted sources.
0 responses to “macOS ClickFix Attack Uses DMGs to Deploy Infostealer”