Cybersecurity experts have issued a warning about a new malware campaign using the ClickFix social engineering technique to deceive users into downloading a malicious software called Atomic macOS Stealer (AMOS) on Apple macOS devices.
The campaign, as reported by CloudSEK, involves the use of typosquat domains that imitate the U.S.-based telecom provider Spectrum.
According to security researcher Koushik Pal, users of macOS are targeted with a malicious shell script that aims to steal system passwords and install an AMOS variant for further exploitation. The script utilizes native macOS commands to gather credentials, bypass security measures, and execute harmful binaries.
The presence of Russian language comments in the malware’s source code suggests that the operation may be linked to Russian-speaking cybercriminals.
The attack begins with a fake web page posing as Spectrum (“panel-spectrum[.]net” or “spectrum-ticket[.]net”). Visitors are prompted to complete a hCaptcha verification check to “review the security” of their connection. However, upon clicking the verification checkbox, users encounter an error message and are led to perform an “Alternative Verification,” resulting in the execution of a command on the users’ system.
This command varies based on the operating system, with Windows users instructed to run a PowerShell command and macOS users prompted to execute a shell script through the Terminal app. The shell script requests the user’s system password and downloads the Atomic Stealer payload.
Pal noted that the delivery pages for this AMOS variant campaign displayed inconsistencies in programming and front-end logic, indicating a hastily assembled infrastructure.
ClickFix tactics have been increasingly utilized in malware campaigns over the past year, with threat actors leveraging social engineering techniques to deliver various types of malware. These attacks typically involve spear phishing, drive-by compromises, and exploitation of trust in familiar online platforms to distribute malicious payloads.
Darktrace highlighted the prevalence of ClickFix attacks across different regions, with threat actors adapting the tactic to distribute trojans, stealers, and ransomware.
Another incident in April 2025 involved threat actors using ClickFix to download payloads, move laterally within target environments, and exfiltrate data. The tactic exploits human error to gain initial access to systems and extract sensitive information.
ClickFix attacks have also mimicked popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile to deceive users into executing malicious scripts under the guise of routine security checks.
Attackers capitalize on users’ “verification fatigue” to trick them into following seemingly innocuous steps, ultimately compromising their systems and bypassing security controls.
These evolving tactics underscore the importance of remaining vigilant against social engineering attacks and adopting robust cybersecurity measures to protect against emerging threats.
For more exclusive cybersecurity content, follow us on Twitter and LinkedIn.
