New macOS Malware Campaign Targets Users via Fake Updates and Script Editor

Severity: High (Score: 69.0)

Sources: Socprime, Scworld

Summary

A new malware campaign is targeting macOS users with the AMOS-linked Atomic Stealer, exploiting fake software update pages and the built-in Script Editor application. Victims are tricked into executing malicious commands that download and run the malware, which steals sensitive information such as passwords, Keychain data, and cryptocurrency wallet details. The attack leverages social engineering tactics, using Apple-themed websites to lure users into executing harmful scripts. The malware establishes persistence through malicious LaunchAgents and backdoors, allowing ongoing access to compromised systems. Security experts recommend blocking malicious domains and monitoring for unusual activity to mitigate risks. The attack is ongoing, and users are advised to exercise caution with prompts from Script Editor and to rely on official sources for troubleshooting. Current mitigation efforts include Apple’s warnings for ClickFix attacks, but user vigilance remains crucial. Key Points: • Atomic Stealer malware targets macOS users via fake updates and Script Editor exploits. • Malicious actors use social engineering tactics to trick users into executing harmful scripts. • The malware steals sensitive data and establishes persistence through backdoors and LaunchAgents.

Key Entities

• Malware (attack_type)
• ClickFix (malware)
• Atomic Stealer (malware)
• laislivon.com (domain)
• rvdownloads.com (domain)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• MacOS (platform)
• Script Editor (tool)