HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

macOS ClickFix Attack Silently Mounts DMGs to Deploy Atomic macOS Stealer (AMOS)

A new ClickFix campaign tricks macOS users into pasting a Terminal command that silently downloads, mounts, and runs the Atomic macOS Stealer, harvesting credentials and crypto‑wallet data. The technique bypasses UI warnings, highlighting gaps in access‑control policies and security awareness that SOC 2 audit programs must address.

LiveThreat™ Intelligence · 📅 June 24, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

New macOS ClickFix Campaign Silently Mounts DMGs to Deploy Atomic macOS Stealer (AMOS)

What Happened — A threat‑actor‑run ClickFix campaign is instructing macOS users to copy‑paste a malicious Terminal command. The command silently downloads a DMG from an attacker‑controlled server, mounts it with hdiutil without UI exposure, and automatically launches the bundled Atomic macOS Stealer (AMOS) which harvests browser credentials, Keychain entries, crypto‑wallet data, messaging app information, and user documents. The initial lure is a fake CAPTCHA page that tells users to “verify” themselves by opening Terminal.

Why It Matters for Compliance & Audit Readiness

  • Demonstrates a failure of access‑control policies that allow unrestricted execution of arbitrary shell commands, a control directly addressed by SOC 2 CC6.1 (Logical Access) and CC6.2 (Least‑Privilege).
  • Highlights the need for continuous monitoring of privileged command usage (e.g., hdiutil, curl) as audit evidence of control effectiveness.
  • Reinforces the importance of Security Awareness Training that covers social‑engineering vectors such as ClickFix, satisfying SOC 2 CC7.1 (Security Awareness) requirements.

Who Is Affected — Enterprises that issue macOS laptops or workstations, particularly in technology SaaS, cloud infrastructure, financial services, and professional services sectors.

Recommended Actions

  • Enforce strict command‑execution policies (e.g., endpoint protection rules that block unsanctioned curl + hdiutil chains).
  • Deploy logging and real‑time alerting for suspicious Terminal activity and hidden DMG mounts.
  • Update Security Awareness curricula to include ClickFix scenarios and safe handling of CAPTCHA‑style prompts.
  • Conduct a SOC 2 control gap review for logical access and user training, documenting remediation steps as audit evidence. Source: https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

Technical Notes — The attack leverages a crafted curl -fsSL command to fetch a DMG from svs-verificationdate.beer, mounts it with hdiutil attach -nobrowse, searches up to three directory levels for an .app or .pkg, and launches it via open. The payload, AMOS, extracts credentials from eight Chromium‑based browsers, macOS Keychain, and cryptocurrency wallets, and can display a fake System Preferences authentication dialog to capture user passwords. Source: https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →