Cyber Blog

Security experts have uncovered a new wave of malware targeting Apple Mac users, delivered through a clever trick involving fake CAPTCHA pop-ups. When someone visits a compromised website, they’re greeted with a seemingly harmless “I’m not a robot” checkbox. But clicking it secretly copies a dangerous command into their clipboard and prompts them to open Terminal and paste the command—triggering the infection. This clever attack is designed to work only on Macs, making it appear harmless to users on Windows or Linux.

Once the malicious command runs, it installs a piece of malware called Atomic macOS Stealer (AMOS). AMOS quietly steals sensitive information, including passwords stored in Keychain, browser cookies and autofill data, system details, and even cryptocurrency wallet credentials. It has even been discovered that AMOS is available “for rent” on hacker forums like Telegram for as much as $3,000 per month.

This campaign employs what’s known as the ClickFix method, where attackers exploit users’ trust in familiar website behaviors—like CAPTCHAs—to trick them into running harmful scripts themselves. The cybercriminals have registered typo-versions of trusted domain names (e.g., similar to Spectrum) and on thousands of sites to spread this malware widely.

Researchers also report a disturbing upgrade: recent versions of AMOS now include a persistent backdoor that survives system restarts, giving attackers ongoing access and control, along with the capability to install additional malicious software.

How to protect yourself:

• Never paste commands into Terminal unless you fully understand what they do—especially if prompted by a CAPTCHA.
• Stick to official app updates via the Mac App Store or trusted sources like System Settings and Chrome’s built-in update tool.
• Enable macOS security features like Gatekeeper and XProtect.
• Consider using reputable anti-malware tools such as Malwarebytes, TotalAV, or integrated browser protections.