Cyber Blog

A recent malware campaign is targeting macOS users by using a social engineering trick called ClickFix. This method tricks users into downloading a variant of the Atomic macOS Stealer (AMOS), a type of malware designed to steal sensitive information. The attackers use fake websites that look like a well-known U.S.-based telecom provider to lure victims.

When users visit these malicious sites, they are asked to complete a CAPTCHA verification to “review the security” of their connection. After clicking the “I am human” checkbox, an error message pops up saying the CAPTCHA failed, prompting users to proceed with an “Alternative Verification.” This step copies a command to the user’s clipboard and gives instructions to run a script in the macOS Terminal app.

Running the script requires the system password and then downloads the AMOS malware. Once installed, the malware collects system passwords and other sensitive data from the victim’s machine. Analysis suggests the campaign is likely run by Russian-speaking cybercriminals, based on language clues found in the malware code.

This attack is part of a larger trend where threat actors use similar tricks to gain initial access to computers by exploiting users’ trust in familiar-looking websites. The campaign has been active across multiple regions including Europe, the Middle East, Africa, and the United States.