ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer
Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload — bypassing Terminal entirely.
AI Analysis
Technical Summary
This threat involves a macOS malware variant that abuses the applescript:// URL scheme to invoke the Script Editor application directly, bypassing the Terminal, to deliver the Atomic Stealer infostealer payload. The attack leverages AppleScript capabilities on macOS to execute malicious code stealthily. The malware is linked to the ClickFix style of attack and uses URLs hosted on dryvecar.com for payload delivery. The campaign was discovered by Jamf Threat Labs and reported by AlienVault OTX. No CVE or vendor advisory is available, and no patch or fix has been documented.
Potential Impact
The malware delivers an infostealer payload capable of harvesting sensitive information from infected macOS systems. By bypassing the Terminal and using Script Editor via the applescript:// URL scheme, it may evade some traditional detection mechanisms. However, there is no evidence of widespread exploitation or active campaigns in the wild at this time.
Mitigation Recommendations
No official patch or remediation guidance is currently available. Security teams should monitor for the provided indicators of compromise, including the specified hashes and URLs associated with dryvecar.com. Restricting or monitoring the use of applescript:// URL scheme and the Script Editor application may help reduce risk. Users should exercise caution when interacting with unknown links or scripts that invoke AppleScript. Patch status is not yet confirmed — check vendor advisories for updates.
Indicators of Compromise
- hash: 04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a
- hash: 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44
- url: https://dryvecar.com/cleaner3/update
- url: https://dryvecar.com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a
- domain: dryvecar.com
ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer
Description
Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload — bypassing Terminal entirely.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a macOS malware variant that abuses the applescript:// URL scheme to invoke the Script Editor application directly, bypassing the Terminal, to deliver the Atomic Stealer infostealer payload. The attack leverages AppleScript capabilities on macOS to execute malicious code stealthily. The malware is linked to the ClickFix style of attack and uses URLs hosted on dryvecar.com for payload delivery. The campaign was discovered by Jamf Threat Labs and reported by AlienVault OTX. No CVE or vendor advisory is available, and no patch or fix has been documented.
Potential Impact
The malware delivers an infostealer payload capable of harvesting sensitive information from infected macOS systems. By bypassing the Terminal and using Script Editor via the applescript:// URL scheme, it may evade some traditional detection mechanisms. However, there is no evidence of widespread exploitation or active campaigns in the wild at this time.
Mitigation Recommendations
No official patch or remediation guidance is currently available. Security teams should monitor for the provided indicators of compromise, including the specified hashes and URLs associated with dryvecar.com. Restricting or monitoring the use of applescript:// URL scheme and the Script Editor application may help reduce risk. Users should exercise caution when interacting with unknown links or scripts that invoke AppleScript. Patch status is not yet confirmed — check vendor advisories for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/"]
- Adversary
- null
- Pulse Id
- 69d66add921797e6515cf4b1
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a | — | |
hash3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://dryvecar.com/cleaner3/update | — | |
urlhttps://dryvecar.com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaindryvecar.com | — |
Threat ID: 69d6805e1cc7ad14da8bd0e2
Added to database: 4/8/2026, 4:20:46 PM
Last enriched: 4/8/2026, 4:35:46 PM
Last updated: 4/9/2026, 8:03:08 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.