Cybersecurity researchers are raising alarms about a new malware campaign that utilizes the ClickFix social engineering technique to deceive users into downloading a dangerous information-stealer known as Atomic macOS Stealer (AMOS) on Apple macOS systems. The campaign, reported by CloudSEK, employs typosquat domains that mimic the U.S.-based telecom provider Spectrum.
According to security researcher Koushik Pal, macOS users are presented with a malicious shell script that aims to extract system passwords and subsequently downloads a variant of AMOS for further exploitation. “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries,” Pal stated in a recent report. This development suggests a potential shift in the threat landscape for macOS users, who have generally been considered less vulnerable to such attacks.
This attack begins when users visit misleading websites that impersonate Spectrum, such as panel-spectrum.net or spectrum-ticket.net. Upon entering these sites, users are encouraged to complete a hCaptcha verification to assess their connection’s security. However, when they attempt to verify, they receive an error message that prompts them to follow alternative verification steps, which ultimately leads to running a harmful command disguised in a shell script.
The malware’s tactics reflect an ongoing trend where cybercriminals exploit human behavior to bypass security protocols. Recent reports indicate that threat actors increasingly rely on similar tactics to gain initial access to systems, often using phishing attacks, drive-by compromises, or manipulation of trusted online platforms such as GitHub.
The ClickFix tactic is notably effective because it capitalizes on user urgency and verification fatigue—factors that lead individuals to hastily comply with seemingly harmless prompts. As such, it underscores the importance of maintaining vigilance and a skeptical attitude towards unexpected security checks.
In an April 2025 incident analyzed by Darktrace, cybercriminals utilized ClickFix to deliver benign-looking payloads that facilitated deeper infiltration into systems, allowing for lateral movement and data exfiltration. As attackers continue to evolve their methods, this recent trend against macOS users highlights an emerging vulnerability that commands both attention and robust defensive measures.
Security experts recommend that users remain aware of these tactics and adopt protective measures, such as verifying URLs and avoiding the execution of unknown scripts. Vigilance and education remain crucial in navigating an increasingly complex cybersecurity landscape.