Mac users beware — experts say this attack 'stood out immediately' by making a major change to try spread malware

News
By published

ClickFix on Macs is evolving yet again

The Dock in macOS.
(Image credit: JJ Rocha on Unsplash)
  • Hackers revive ClickFix attacks on macOS
  • New method abuses Script Editor via URL scheme
  • Campaign delivers Atomic Stealer to exfiltrate sensitive data

Hackers are adding new twists to the old ClickFix attack to bypass recently introduced macOS protections and still deliver infostealer malware to people’s devices, experts have warned,

Security researchers Jamf Threat Labs recently spotted one such campaign in the wild, having noted that so far, ClickFix attacks on macOS tried to get the victim to copy and paste a command into the Terminal.

However, with macOS 26.4, this method no longer works, since the device scans all pasted commands before they’re executed - so, the miscreants got creative, and found a new point of entry - Script Editor.

Article continues below

Dropping AMOS

Script Editor is a built-in macOS application that lets users write, edit, and run scripts to automate tasks and control apps. It supports AppleScript and JavaScript, allowing users to streamline certain actions without needing to create full software programs.

To get victims to run Script Editor, the attackers used a URL scheme.

“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here isn't surprising,” the researchers wrote. “What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”

A URL scheme is a special type of link that uses a custom prefix to trigger specific actions.

In the campaign, the crooks created a website that offered a way to “reclaim disk space” on a Mac. To do that, users would need to press the “Execute” button displayed on the page which invoked an applescript:// URL scheme. The scheme prompted the user to open Script Editor which, if approved, would run with a pre-filled script.

“This approach reduces direct user interaction,” Jamf further said. “The user is guided from a webpage into a pre-populated Script Editor window rather than entering commands in Terminal.”

The script would ultimately deploy Atomic Stealer, a known macOS infostealer capable of exfiltrating passwords, cryptocurrency wallet information, data stored in browsers, and more.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.