Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/macOS Script Editor Flaw Lets ClickFix Deliver Atomic Stealer
Threats

macOS Script Editor Flaw Lets ClickFix Deliver Atomic Stealer

Key Takeaways A new ClickFix campaign is actively targeting macOS users, bypassing Terminal protections by leveraging the Script Editor application. The attack chain uses social engineering via fake...

Jennifer sherman
Jennifer sherman
April 9, 2026 4 Min Read
61 0

Key Takeaways

  • A new ClickFix campaign is actively targeting macOS users, bypassing Terminal protections by leveraging the Script Editor application.
  • The attack chain uses social engineering via fake Apple-themed webpages to trick users into executing malicious AppleScripts.
  • The ultimate payload is the Atomic Stealer infostealer, designed to exfiltrate sensitive user data, including credentials and cryptocurrency wallets.
  • This tactic demonstrates threat actors’ rapid adaptation to new security features, specifically Apple’s command-pasting scanner in macOS 26.4.

Threat actors operating the ClickFix campaign have developed a sophisticated new method to infect macOS systems, circumventing Apple’s enhanced security measures. Instead of relying on users to paste malicious commands into Terminal, this iteration exploits the built-in Script Editor application to deploy the Atomic Stealer infostealer.

Table Of Content

  • Key Takeaways
  • Evolving Attack Vector
  • The Social Engineering Lure
  • Script Execution and Payload Delivery
  • What You Should Do

This strategic shift highlights how quickly adversaries adapt their tactics in response to tightened platform security. It underscores the enduring effectiveness of social engineering, even against robust technical defenses.

Evolving Attack Vector

Historically, ClickFix attacks coerced users into copying and pasting malicious commands directly into Terminal, often under the guise of system troubleshooting or maintenance. Apple introduced a critical security feature in macOS 26.4 that actively scans commands pasted into Terminal before execution, significantly disrupting this common attack path.

Rather than abandoning their approach, the threat actors simply pivoted. They now utilize Script Editor, a native macOS application designed for AppleScript automation, which has a documented history of being exploited in malware delivery. This change allows them to bypass the new Terminal protections without triggering immediate alerts.

Researchers at Jamf Threat Labs identified this new variant through behavioral detection mechanisms that flagged the Script Editor-based execution as suspicious activity. Their discovery underscores the rapid evolution of attack methodologies in the face of new security controls. The actors leverage the applescript URL scheme to invoke Script Editor directly from a web browser, silently bypassing the Terminal safeguards.

The Social Engineering Lure

The attack initiates with a convincing fake Apple-themed webpage, designed to appear as a legitimate disk space cleanup utility. This page provides step-by-step instructions that closely mimic authentic macOS maintenance guides.

Upon clicking an “Execute” button on the fraudulent webpage, the browser silently triggers the applescript URL scheme. The user is then presented with a security permission dialog, prompting them to open Script Editor. This interaction is carefully crafted to appear as a routine system operation, masking the underlying malicious intent.

Once Script Editor launches, it displays a pre-populated script, ready for user execution. This script includes fake copyright headers, falsely attributing it to an Apple storage optimization utility, thereby enhancing its perceived legitimacy.

The user experience varies slightly depending on the macOS version. In macOS 26.4, users are prompted to approve saving the script to disk before it can proceed with execution.

Script Execution and Payload Delivery

When the user runs the pre-filled script, the core attack chain begins. The script contains an obfuscated command that uses the tr utility for character translation, converting a scrambled string into a functional URL at runtime. This URL then calls curl with the -k flag, which disables TLS certificate validation. This allows the malware to connect to untrusted infrastructure without generating security warnings. The downloaded content is then piped directly into zsh and executed entirely in memory, preventing it from touching the disk during this initial phase.

The first-stage payload is concealed using base64 encoding combined with gzip compression. After decoding, it retrieves a Mach-O binary, saves it to /tmp/helper, removes extended attributes, grants execution permissions, and then runs it. This binary is a recent variant of Atomic Stealer, a notorious macOS infostealer known for harvesting sensitive data such as browser credentials, saved passwords, and cryptocurrency wallet information from compromised systems.

Confirmed indicators of compromise (IoCs) for this campaign include the domain dryvecar.com, along with storage-fixes.squarespace.com and cleanupmac.mssg.me, all associated with the fake ClickFix webpages. The Mach-O binary saved as helper has the SHA-256 hash 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44.

What You Should Do

  • Exercise Extreme Caution: Never execute scripts or commands prompted by external webpages, even if they appear to be from Apple or other trusted entities.
  • Decline Browser Requests: Always decline browser requests to open Script Editor or any other automation tool if the source is unknown or suspicious.
  • Keep macOS Updated: Ensure your macOS is running the latest available version to benefit from the newest built-in security controls and patches.
  • Verify Sources: If you receive instructions for system maintenance, always verify them directly on Apple’s official support website or through trusted, known channels, rather than relying on external webpages.
  • Use Security Software: Employ reputable endpoint detection and response (EDR) solutions that can identify and block suspicious behavioral patterns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

ClickFix macOS Vulnerability (CVE-2023-XXXX) Lets Attackers Deliver notnullOSX

Next Post

WhatsApp Adds Usernames for Private Connections, Ditching Phone Numbers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us