- Hackers revive ClickFix attack on macOS
- New method abuses Script Editor via URL scheme
- The campaign provides Atomic Stealer to exfiltrate sensitive data
Hackers are adding new twists to the old ClickFix attack to bypass recently introduced macOS protections and still deliver infostealer malware to people’s devices, experts have warned,
Security researchers Jamf Threat Labs recently discovered such a campaign in the wild after noticing that ClickFix attacks on macOS so far tried to get the victim to copy and paste a command into the terminal.
But with macOS 26.4, this method no longer works, as the device scans all inserted commands before executing them – so the unwitting got creative and found a new entry point – the Script Editor.
The article continues below
Dropping AMOS
Script Editor is a native macOS program that lets users write, edit, and run scripts to automate tasks and control apps. It supports AppleScript and JavaScript, allowing users to streamline certain actions without having to create complete software programs.
To trick victims into running the Script Editor, the attackers used a URL scheme.
“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here is not surprising,” the researchers wrote. “What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”
A URL scheme is a special type of link that uses a custom prefix to trigger specific actions.
In the campaign, the villains created a website that offered a way to “reclaim disk space” on a Mac. To do so, users must press the “Execute” button on the page that invoked an applescript:// URL scheme. The scheme asked the user to open the Script Editor, which, if approved, would run a pre-populated script.
“This approach reduces direct user interaction,” Jamf further said. “The user is directed from a web page into a pre-populated Script Editor window instead of entering commands in Terminal.”
The script would eventually deploy Atomic Stealer, a known macOS infostealer capable of wiping out passwords, cryptocurrency wallet information, data stored in browsers, and more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
