Cybersecurity researchers at Jamf Threat Labs have identified a new ClickFix campaign targeting macOS users by exploiting the Script Editor application to deploy the Atomic Stealer malware.

Key Points

• Attackers are bypassing macOS security protections by using a custom URL scheme to trigger the built-in Script Editor application.
• The malicious campaign lures victims with a fake website promising to reclaim disk space on their Mac devices.
• Once triggered, the Script Editor runs a pre-filled script that installs Atomic Stealer without requiring manual Terminal commands.
• Atomic Stealer is designed to exfiltrate sensitive data, including browser information, cryptocurrency wallets, and saved passwords.
• This method replaces previous attack vectors that were blocked by security updates in macOS 14.4.

Why it Matters

This evolution in ClickFix tactics demonstrates how threat actors adapt to macOS security updates by shifting from Terminal-based commands to native application exploitation. Users should remain cautious of prompts to execute scripts from unknown websites, as these attacks can lead to the total compromise of personal and financial data.