Cyber security researchers are alert for a new malware campaign that employs Clickfix Social Engineering Strategy to trick users to download a information stealing malware known as a nuclear Macos Steeler (AMOS) on Apple Macos systems.
According to Claudsac, the campaign has been found to avail the typosquat domain, copying the US-based telecom provider spectrum.
Security researcher Kushik Pal said in a report published this week, “MACOS users are served a malicious shell script designed to steal system passwords and download an AMOS version for further exploitation.” “The script uses the native MACOS command, with cutting credentials, bypassing the safety and performing malicious binergies.”
It is believed that activity is the work of Russian-speaking cyber criminal due to the presence of Russian language comments in the source code of malware.
The initial point of the attack is a web page that applies the spectrum (“panel-spectrum)[.]Net “or” spectrum[.]Net “). A message is given to the people coming to the sites under consideration that instructs them to complete an HCAPTCHA verification investigation to” review the safety “before proceeding.
However, when the user clicks on the “IM Human” checkbox for evaluation, they are displayed an error message, stating that “captcha verification failed,” they are urged to click on a button to proceed with “alternative verification”.
Doing so is copied to users’ clipboard and the victim is shown a set of instructions based on their operating system. While he is directed to run a powerrashel command over Windows by opening the Windows run dialogue, it is replaced by a shell script that is executed by launching a terminal app on McOS.
The shell script, for its share, inspires users to enter their system password and download an next-phase payload, in this case, a known steeler called atomic steeler.
Pal said, “poorly applied arguments in delivery sites, such as mismatched instructions in platforms, pointed to gather infrastructure in a hurry,” Pal said.
“The delivery pages in the question for this AMOS variant campaign had impurities in both its programming and front-end logic. For the Linux user agents, a powershell command was copied. In addition, the instructions ‘Press and Hold the Windows’s + R’ were displayed.”
In the last one year, the disclosure comes between an increase in campaigns using a clickfix strategy to give a wide range of malware families.
“Actor who fulfills these targeted attacks usually uses similar techniques, equipment and processes (TTPs) to achieve the initial access,” said the Darkater. “These include spear fishing attack, drive-by-agreement or exploitation of trusts in familiar online platforms, such as Github, to give malicious payload.”
The links distributed using these vectors usually redirect the last user in a malicious URL that displays a fake captcha verification check and the users try to cheat on thinking that they are carrying something easily, when in fact, they are directed to correct an unaccompanied issues.
The end result of this effective social engineering method is that users compromise their own system, effectively bypassing security controls.
In the April 2025 incident analyzed by Darkantress, unknown danger actors were found to use clicks as an attack vector, which to download nondesCript payload to deepen in the target environment, conduct the lateral movement, to send a system-related information through an HTTP post request and finally send a system-related information to an outsider. For.
“Clickfix Baiting is a widely used strategy in which the actor of the danger takes advantage of the human error to bypass safety rescue,” said the Darkatress. “Endpoint users to perform harmless harmless, everyday actions, the attackers have early access to the systems where they can access and exfiltrate sensitive data.”
Other clickfix attacks have employed phony versions of other popular Captcha services such as Google Recaptcha and Cloudflare Turnstil for malware delivery under the guise of regular security checks.
These fake pages are “pixel-perfect copies” of their legitimate counterparts, sometimes users are also injected into real-but websites. There are some payloads distributed through fake turns to full remote remote access to full remote access trozons such as Lumma and Stalac, as well as Nettasuport Rat.
“Modern Internet users are submerged on websites with spam checks, captchas and safety signals on websites, and have been air conditioned to click on these,” said Daniel Kelly of Slashnext. “Attackers exploit the fatigue of this’ verification,” knowing that many users are presented, they will comply with them if it looks regular. “
