Malware targets Mac users with fake CAPTCHA and AMOS Stealer

ClickFix, a societal engineering maneuver that has been targeting some Windows and Mac users since aboriginal 2024, continues to evolve. 

Just past month, I reported connected however attackers were utilizing fake CAPTCHA prompts to trick Windows users into installing malware themselves. 

Now, that aforesaid instrumentality is being turned against macOS. Cybersecurity researchers person uncovered a caller run utilizing ClickFix to present Atomic macOS Stealer (AMOS), a almighty information-stealing malware targeting Apple systems.

SPOT FAKE ONLINE STORES, AVOID FACEBOOK SUBSCRIPTION SCAMS

Illustration of a hacker astatine work. (Kurt "CyberGuy" Knutsson)

What is ClickFix malware, and however does it work?

Security researchers at CloudSEK person identified a caller menace targeting macOS users done imitation and deception. The run uses a method known arsenic ClickFix to lure victims done fake online verification prompts. This time, attackers are spoofing Spectrum, a large telecom supplier successful the United States. They usage fraudulent domains that intimately lucifer Spectrum’s existent enactment portals. These see misleading addresses similar sheet spectrum nett and spectrum summons net.

Visitors to these sites are shown a standard-looking CAPTCHA box, asking them to verify their identity. When they do, the tract displays a fake mistake connection that says the CAPTCHA failed. Users are encouraged to click a fastener labeled "Alternative Verification." This triggers a bid to beryllium copied silently to their clipboard. What happens adjacent depends connected the user’s operating system. On macOS, instructions usher the idiosyncratic to paste and tally the bid successful Terminal. That bid is really a ammunition publication designed to bargain accusation and download malware.

The publication is peculiarly unsafe due to the fact that it uses morganatic macOS strategy commands. It asks for the strategy password, harvests credentials and disables security protections. It past downloads AMOS. This is simply a known accusation stealer with a past of targeting Apple devices. The malware collects delicate information similar passwords, cryptocurrency wallet keys, browser autofill information and saved cookies.

Researchers judge the run was created by Russian-speaking attackers. Clues see comments written successful Russian recovered wrong the malware’s code. Analysts besides noted that the transportation infrastructure was poorly assembled. Mismatched instructions appeared crossed devices. For example, Linux users were shown Windows commands. Mac users were told to property keys that lone beryllium connected Windows machines.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts, and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide — escaped erstwhile you join.

Fake Captcha connected a Mac. (CloudSEK)

OUTSMART HACKERS WHO ARE OUT TO STEAL YOUR IDENTITY

Why ClickFix attacks are truthful effective

ClickFix is simply a societal engineering method that has rapidly gained popularity among cybercriminals. It relies connected users trusting what they spot and blindly pursuing elemental instructions. In this campaign, the attacker’s extremity is to marque the unfortunate execute the corruption process themselves. Once the idiosyncratic follows through, the strategy is compromised without needing a accepted exploit.

Researchers judge ClickFix has been progressive since astatine slightest March 2024. I archetypal reported connected it successful June 2024, when attackers utilized fake mistake messages from Google Chrome, Microsoft Word and OneDrive to propulsion their payloads. Victims were shown prompts offering a "fix," which copied a malicious PowerShell bid to their clipboard. They were past instructed to paste and tally it successful PowerShell oregon done the Run dialog.

By November 2024, the method had evolved further. A new question of attacks targeted Google Meet users, opening with phishing emails that mimicked interior gathering invites. These emails contained links that redirected to fake Meet landing pages designed to look similar they came from the victim’s ain organization.

Fake Captcha connected a Mac. (CloudSEK)

MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT

6 ways to support yourself from ClickFix and akin malware

To support yourself from the evolving menace of ClickFix malware, which continues to people users done blase societal engineering tactics, see implementing these six indispensable information measures:

1. Be skeptical of CAPTCHA prompts: Legitimate CAPTCHA tests ne'er necessitate you to paste thing into Terminal. If a website instructs you to bash this, it’s apt a scam. Close the leafage instantly and debar interacting with it.

2. Don’t click links from unverified emails and usage beardown antivirus software: Many ClickFix attacks besides commencement with phishing emails that impersonate trusted services similar Booking.com oregon Google Meet. Always verify the sender earlier clicking connected links. If an email seems urgent oregon unexpected, spell straight to the company’s authoritative website alternatively of clicking immoderate links wrong the email.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.  Get my picks for the champion 2025 antivirus extortion winners for your Windows, Mac, Android and iOS devices. 

3. Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an other furniture of information by requiring a 2nd signifier of verification, specified arsenic a codification sent to your phone, successful summation to your password.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

4. Keep devices updated: Regularly updating your operating system, browser, and information software ensures you person the latest patches against known vulnerabilities. Cybercriminals exploit outdated systems, truthful enabling automatic updates is simply a elemental but effectual mode to enactment protected.

5. Monitor your accounts for suspicious enactment and alteration your passwords: If you’ve interacted with a suspicious website, phishing email, oregon fake login page, cheque your online accounts for immoderate antithetic activity. Look for unexpected login attempts, unauthorized password resets, oregon fiscal transactions that you don’t recognize. If thing seems off, alteration your passwords instantly and study the enactment to the applicable work provider. Also, see utilizing a password manager to make and store analyzable passwords. Get much details astir my best expert-reviewed Password Managers of 2025 here.

6. Invest successful idiosyncratic information removal service: Consider utilizing a work that monitors your idiosyncratic accusation and alerts you to imaginable breaches oregon unauthorized usage of your data. These services tin supply aboriginal informing signs of individuality theft oregon different malicious activities resulting from ClickFix oregon akin attacks. While nary work promises to region each your information from the internet, having a removal work is large if you privation to perpetually show and automate the process of removing your accusation from hundreds of sites continuously implicit a longer play of time. Check retired my apical picks for information removal services here. 

Get a free scan to find retired if your idiosyncratic accusation is already retired connected the web

MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC

Kurt’s cardinal takeaway

Even experienced users tin beryllium tricked erstwhile malicious behaviour is disguised arsenic routine. The onslaught didn't conscionable exploit a vulnerability successful macOS, but besides your familiarity with verification flows. As agelong arsenic information instructions look similar portion of the accustomed experience, radical volition proceed to tally malicious codification themselves. Mac users, similar everyone else, request to dainty each familiar-looking interface with a small much skepticism. Especially erstwhile it asks for your password.

CLICK HERE TO GET THE FOX NEWS APP

Do you deliberation tech companies are doing capable to halt malware similar ClickFix? Let america cognize by penning to america at Cyberguy.com/Contact. 

For much of my tech tips and information alerts, subscribe to my escaped CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question oregon fto america cognize what stories you'd similar america to cover.

Follow Kurt connected his societal channels

• Facebook
• YouTube
• Instagram

Answers to the astir asked CyberGuy questions:

• What is the champion mode to support your Mac, Windows, iPhone and Android devices from getting hacked?
• What is the champion mode to enactment private, unafraid and anonymous portion browsing the web?
• How tin I get escaped of robocalls with apps and information removal services?
• How bash I region my backstage information from the internet?

New from Kurt:

• Try CyberGuy's caller games (crosswords, connection searches, trivia and more!)
• CyberGuy’s Exclusive Coupons and Deals

Copyright 2025 CyberGuy.com.  All rights reserved.