New macOS Malware Campaign Targets Users via Fake Updates and Script Editor

New macOS Malware Campaign Targets Users via Fake Updates and Script Editor

First seen 9 Apr 2026, 22:00 UTC SocprimeScworldExplosionBitgetNews.Bitcoin+28 85% similarity 69.0

Article Content

Browse articles
ThreatCluster

A new malware campaign is targeting macOS users with the AMOS-linked Atomic Stealer, exploiting fake software update pages and the built-in Script Editor application. Victims are tricked into executing malicious commands that download and run the malware, which steals sensitive information such as passwords, Keychain data, and cryptocurrency wallet details. The attack leverages social engineering tactics, using Apple-themed websites to lure users into executing harmful scripts. The malware establishes persistence through malicious LaunchAgents and backdoors, allowing ongoing access to compromised systems. Security experts recommend blocking malicious domains and monitoring for unusual activity to mitigate risks. The attack is ongoing, and users are advised to exercise caution with prompts from Script Editor and to rely on official sources for troubleshooting. Current mitigation efforts include Apple’s warnings for ClickFix attacks, but user vigilance remains crucial.

Key Points: • Atomic Stealer malware targets macOS users via fake updates and Script Editor exploits. • Malicious actors use social engineering tactics to trick users into executing harmful scripts. • The malware steals sensitive data and establishes persistence through backdoors and LaunchAgents.

ThreatCluster AI

Timeline

2026-04-08
Socprime reports on macOS Stealer linked to AMOS ecosystem.
2026-04-09
Scworld reports on Atomic Stealer malware exploiting Script Editor.

Community

Browse all →