- Hackers revive ClickFix attacks on macOS
- A new method abuses the Script Editor using a URL scheme
- Campaign offers Atomic Stealer to leak sensitive data
Hackers are adding new twists to the old ClickFix attack to bypass recently introduced macOS protections and continue delivering data-stealing malware to people’s devices, experts have warned.
Security researchers at Jamf Threat Labs recently spotted one such campaign, noting that until now, ClickFix attacks on macOS attempted to get the victim to copy and paste a command into the Terminal.
However, with macOS 26.4, this method no longer works, as the device scans all pasted commands before executing them; Therefore, bad actors got creative and found a new entry point: the Script Editor.
Article continues below.
Dropping AMOS
Script Editor is a built-in macOS application that allows users to write, edit, and run scripts to automate tasks and control applications. It supports AppleScript and JavaScript, allowing users to optimize certain actions without needing to create entire software programs.
To get victims to run Script Editor, the attackers used a URL scheme.
“Script Editor has a well-documented history as a malware distribution mechanism, so its presence here is not surprising,” the researchers wrote. “What is notable is its role in this ClickFix campaign and the fact that it was invoked through a URL scheme.”
A URL scheme is a special type of link that uses a custom prefix to trigger specific actions.
In the campaign, criminals created a website that offered a way to “recover disk space” on a Mac. To do that, users would have to press the “Run” button displayed on the page that invoked an applescript:// URL scheme. The scheme prompted the user to open the Script Editor which, if approved, would run with a preloaded script.
“This approach reduces direct user interaction,” Jamf added. “The user is guided from a web page to a pre-populated Script Editor window instead of entering commands in Terminal.”
Ultimately, the script would implement Atomic Stealer, a known macOS information stealer capable of extracting passwords, cryptocurrency wallet information, data stored in browsers, and more.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
