Cybersecurity researchers are warning against a new malware campaign that employs ClickFix social engineering tactics to download information steeler malware called Atomic Macos Stealer (AMOS) on Apple Macos Systems.
According to CloudSek, the campaign is known to harness the Typosquat domain by mimicking the US telecom provider spectrum.
“MACOS users will be provided with malicious shell scripts designed to steal system passwords and download AMOS variants for further exploitation,” security researcher Koushik Pal said in a report published this week. “This script uses native MacOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”
This activity is considered to be a work of Russian-speaking cybercriminals, as there are Russian comments in the source code of the malware.
The attack starts at a web page that is impersonating the spectrum (“PanelSpectrum(.)net” or “spectrum-ticket(.)net”). Visitors to the site in question will be provided with a message telling them to complete the hcaptcha validation check to “secur” the security of their connection before proceeding further.
However, when the user clicks on the “I Am Human” checkbox for evaluation, he receives an error message saying “Captcha validation failed” and prompts him to click the button to proceed with “Alternative validation”.
Doing so will copy the command to the user’s clipboard and the victim will receive a series of instructions, depending on the operating system. You are guided to open the Windows Run dialog and run PowerShell commands on Windows, but it will be replaced by a shell script that is run by launching the terminal app on MacOS.
For that part, the shell script prompts the user to enter the system password and downloads the payload for the next stage, a known steeler known as the Atomic Stealer.
“Insufficient logic at distribution sites, such as inter-platform indices of inconsistency, points to a hastily constructed infrastructure,” Pal said.
“The distribution page for this AMOS variant campaign issue contained inaccuracies in both programming and front-end logic. For Linux user agents, the PowerShell command was copied. Additionally, the instruction “hold Windows key + R” was displayed for both Windows and Mac users. ”
This disclosure comes amid the use of Clickfix tactics to surge in campaigns and provide a wide range of malware families over the past year.
“Actors who perform these target attacks usually use similar techniques, tools and procedures (TTP) to gain initial access,” Darktrace said. “These include providing malicious payloads to exploit spear phishing attacks, drive-by compromises, or to misuse trust in familiar online platforms such as GitHub.”
Links distributed using these vectors are usually directed to redirect end users to malicious URLs that display fake Captcha validation checks and try to complete them to deceive users to deceive users if they are led to run malicious commands to fix non-existent issues.
The end result of this effective social engineering method is that users can compromise their own systems and effectively bypass security controls.
One April 2025 incident analyzed by Darktrace uses Clickfix as an attack vector to dig deep into the target environment, perform lateral movements, and send system-related information to an external server via HTTP POST requests, and ultimately remove data data.
“Clickfix Baiting is a widely used tactic that threat actors leverage human error to bypass security defenses,” says Darktrace. “By tricking endpoint users to perform seemingly harmless and everyday actions, attackers gain initial access to systems that can access and scale sensitive data.”
Other Clickfix attacks use fake versions of other popular Captcha services, such as Google Recaptcha and CloudFlare Turnstile, to provide malware delivery under the guise of daily security checks.
These fake pages are “Pixel-Perfect copies” of legal counterparts, which can sometimes trick unsuspecting users into injected into actual hacked websites. Steelers like Lumma and Stealc, as well as full-fledged remote access trojans like Netsupport Rat, are part of the payload distributed via fake turnstyle pages.
“Modern Internet users are conditioned to click on spam checks, captures and security prompts on their websites as soon as possible,” said Daniel Kelley of Slashnext. “Attackers know that they will take advantage of this ‘validation fatigue’ and follow the steps presented when many users see it as everyday. ”
