A newly discovered cyber campaign is targeting Apple macOS users with a stealthy strain of Atomic macOS Stealer (AMOS), using a deceptive social engineering method called ClickFix. Cybersecurity experts from CloudSEK have warned that the malware is being distributed through typosquatted domains mimicking legitimate websites like U.S. telecom provider Spectrum.
Fake CAPTCHA Triggers Malicious Shell Script Download
The campaign tricks users into visiting fake Spectrum-like sites such as panel-spectrum[.]net and spectrum-ticket[.]net. Visitors are prompted to complete a CAPTCHA verification, which ultimately fails prompting users to opt for an “Alternative Verification.”
Clicking this option copies a command to the clipboard, directing users to run a malicious shell script via Terminal on macOS. This script:
- Prompts for system credentials
- Bypasses native macOS defenses
- Downloads the Atomic Stealer malware
Campaign Linked to Russian Cybercriminals
Security researchers believe the campaign is operated by Russian-speaking threat actors, as Russian-language code comments were found in the malware. The attack infrastructure shows signs of hasty deployment, including:
- Mismatched platform instructions
- Windows commands shown to Mac/Linux users
- Sloppy copy-paste errors in the delivery scripts
The ClickFix technique, which exploits user trust in everyday actions like CAPTCHA verifications or cookie consent pop-ups, has been increasingly adopted to deliver a wide range of malwares like, AMOS and other stealers like Lumma and StealC, Remote Access Trojans (RATs) like XWorm, NetSupport RAT, Fake cookie banners prompting script execution.
Cybersecurity firms such as Darktrace, Cofense, and SlashNext have detected ClickFix campaigns targeting industries across Europe, the Middle East, Africa (EMEA), and North America. Notably, a recent phishing campaign spoofing Booking.com used fake CAPTCHAs to deploy XWorm RAT and DanaBot.
Exploiting ‘Verification Fatigue’ to Breach Systems
“Users are so accustomed to CAPTCHAs and security prompts that they often follow instructions without a second thought,” said Daniel Kelley from SlashNext. “ClickFix leverages this fatigue to bypass endpoint defenses and trigger self-compromise.”
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing