- Hackers revive ClickFix attacks on macOS
- New method abuses Script Editor via URL scheme
- Campaign delivers Atomic Stealer to exfiltrate sensitive data
Hackers are adding new twists to the old ClickFix attack to bypass recently introduced macOS protections and still deliver infostealer malware to people’s devices, experts have warned,
Security researchers Jamf Threat Labs recently spotted one such campaign in the wild, having noted that so far, ClickFix attacks on macOS tried to get the victim to copy and paste a command into the Terminal.
However, with macOS 26.4, this method no longer works, since the device scans all pasted commands before they’re executed - so, the miscreants got creative, and found a new point of entry - Script Editor.
Dropping AMOS
Script Editor is a built-in macOS application that lets users write, edit, and run scripts to automate tasks and control apps. It supports AppleScript and JavaScript, allowing users to streamline certain actions without needing to create full software programs.
To get victims to run Script Editor, the attackers used a URL scheme.
“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here isn't surprising,” the researchers wrote. “What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”
A URL scheme is a special type of link that uses a custom prefix to trigger specific actions.
In the campaign, the crooks created a website that offered a way to “reclaim disk space” on a Mac. To do that, users would need to press the “Execute” button displayed on the page which invoked an applescript:// URL scheme. The scheme prompted the user to open Script Editor which, if approved, would run with a pre-filled script.
“This approach reduces direct user interaction,” Jamf further said. “The user is guided from a webpage into a pre-populated Script Editor window rather than entering commands in Terminal.”
The script would ultimately deploy Atomic Stealer, a known macOS infostealer capable of exfiltrating passwords, cryptocurrency wallet information, data stored in browsers, and more.
