[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$flkoM3S_j6NoHtL_d_occjzTSX3Qx37eOust_CBdyKA0":3},{"article":4,"iocs":38},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":30,"category":31,"article_tags":35},"39c70eeb-5dd4-4fbb-86e1-7e7c4d1f66cc","New macOS ClickFix attack silently mounts DMGs to push infostealer","new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer-dca893","A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. [...]","A new macOS ClickFix campaign uses fake CAPTCHA pages to trick users into executing Terminal commands that silently download and mount malicious DMG files containing the Atomic macOS Stealer (AMOS) infostealer. The malware steals browser credentials, cryptocurrency wallet data, Keychain information, and user documents from infected devices. The attack combines social engineering with automated execution, eliminating the need for manual user interaction to launch the malware.","New macOS ClickFix campaign silently mounts DMGs to distribute Atomic macOS Stealer infostealer malware.","New macOS ClickFix attack silently mounts DMGs to push infostealer By Lawrence Abrams June 23, 2026 02:30 PM 0 A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. The campaign is infecting Mac devices with the Atomic macOS Stealer (AMOS) infostealer, which steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents. Researchers at Palo Alto Networks Unit 42 first discovered the campaign and say it begins with a fake CAPTCHA page that tells users to open Terminal and paste a malicious command to verify themselves. Once executed, the command downloads a DMG file from an attacker-controlled server, silently mounts it with macOS's native hdiutil utility, locates the application bundle it contains, and launches it automatically. ClickFix is a social engineering technique that displays fake CAPTCHAs, browser errors, or system alerts to trick visitors into copying and executing attacker-supplied \"fix instructions.\" The technique has grown in popularity among threat actors in the past year and has been used by both cybercriminals and state-sponsored hacking groups to distribute malware. While ClickFix attacks involving DMGs are not new, previous campaigns typically relied on users manually opening downloaded DMG files to launch malicious applications or execute scripts from attacker-controlled servers. The campaign spotted by Palo Alto combines both approaches by using a Terminal command to quietly download a DMG file and launch the malware it contains. Malicious Terminal command used as fake Captcha verificationSource: Palo Alto Networks Unit42 After running the Terminal command, the attack downloads a malicious DMG from svs-verificationdate[.]beer using curl with the quiet \"-fsSL\" flags and saves it to the \u002Ftmp folder under a random filename. The command then executes 'hdiutil attach -nobrowse' to mount the downloaded disk image without displaying it in Finder or on the desktop. The script then searches up to three directory levels deep for the first available .app or .pkg installer, and if one is found, launches it using the macOS open command. Researchers observed the malware being delivered as a disk image named \"s.01M0td.dmg,\" which mounted a volume containing a self-signed application bundle named \"NNApp.app.\" This payload is part of the Atomic macOS Stealer family, which is used to steal credentials, browser history, authentication tokens, and cryptocurrency wallets from infected devices. Infostealer attack flowSource: Palo Alto Networks Unit42 The stealer will display a fake System Preferences authentication prompt that asks the user to enter their password, allowing the malware to steal it. According to the researchers, the malware targets eight Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Arc, Vivaldi, CocCoc, and Yandex. It steals cookies, login databases, autofill information, stored payment cards, and browser profile data. The stealer also targets Firefox-derived browsers, including LibreWolf, SeaMonkey, Tor Browser, Waterfox, and Zen Browser, stealing the same information. Palo Alto says the malware searches for and steals cryptocurrency wallet data, including Exodus, Electrum, Atomic Wallet, Wasabi Wallet, Bitcoin Core, Litecoin Core, DashCore, Guarda, Binance Wallet, Dogecoin Wallet, and TonKeeper. The malware also steals Telegram Desktop and Discord data, Apple Notes databases, Safari cookies, Apple Keychain database files, and user documents with the PDF, TXT, or RTF extensions. All harvested data is then stored in a ZIP archive and uploaded to the attacker's server, where the attacker can retrieve it. Of particular interest, the researchers found that the malware will replace legitimate installations of Ledger Live and Trezor Suite with malicious versions, likely to perform crypto theft. The campaign was observed using command-and-control servers at svs-verificationdate[.]beer and 196.251.107[.]171. As a general rule, users should always be cautious when websites instruct them to open Terminal and execute commands. This is especially true when they claim to be part of CAPTCHA verifications, browser fixes, or other troubleshooting steps. If you do not 100% understand what a command does, do not run it. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Microsoft blames macOS update for undismissible Teams location promptsKali Linux can now run in Apple containers on macOS systemsSHub macOS infostealer variant spoofs Apple security updatesAustralia warns of ClickFix attacks pushing Vidar Stealer malwareApple fixes Beats Studio Buds flaw that let hackers spy on conversations","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2022\u002F03\u002F22\u002Fmacos-storm.jpg","2026-06-23T18:30:16+00:00","2026-06-23T20:00:09.826173+00:00",8,[18,21,24,27],{"name":19,"type":20},"ClickFix campaign operators","threat_actor",{"name":22,"type":23},"Atomic macOS Stealer (AMOS)","product",{"name":25,"type":26},"Palo Alto Networks","vendor",{"name":28,"type":29},"macOS ClickFix DMG campaign","campaign","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":30,"icon":32,"name":33,"slug":34},null,"Malware","malware",[36],{"category":37},{"id":30,"icon":32,"name":33,"slug":34},[39,43,45],{"type":40,"value":41,"context":42},"domain","svs-verificationdate.beer","Attacker-controlled server hosting malicious DMG file",{"type":34,"value":22,"context":44},"Info-stealing malware targeting credentials, wallets, and Keychain data",{"type":34,"value":46,"context":47},"NNApp.app","Malicious application bundle delivered via DMG file s.01M0td.dmg"]