A sophisticated new malware campaign has been identified targeting macOS users with a dangerous variant of the Atomic macOS Stealer (AMOS). The operation utilizes typo-squatted domains that convincingly mimic the major U.S. telecommunications provider Spectrum to lure potential victims. This attack is cleverly disguised as a routine CAPTCHA verification system, representing a significant escalation in cross-platform social engineering tactics that put both consumer and corporate users at risk. The campaign leverages the increasingly popular Clickfix method, presenting users with fake security verification pages designed to look like legitimate Cloudflare protection screens to initiate the infection process.
The attack vector relies on deceiving users who land on fraudulent websites such as panel-spectrum.net. After being presented with what appears to be a standard human verification challenge, users are prompted to click an “Alternative Verification” button. This action triggers a malicious sequence that copies harmful commands to the user’s clipboard, while displaying on-screen instructions that guide the user to execute them. Researchers at CloudSEK, who uncovered this campaign, revealed that the threat is multi-platform in nature, delivering different payloads depending on the victim’s operating system. macOS users receive particularly dangerous shell scripts intended to harvest system credentials and download the AMOS malware for further exploitation.
The infection mechanism on macOS systems demonstrates remarkable sophistication in exploiting the operating system’s security architecture. When users follow the deceptive on-screen instructions to “verify” themselves, they inadvertently execute a downloaded shell script that begins an insidious credential harvesting routine. The script uses macOS’s native dscl command to repeatedly prompt for and validate the user’s system password until the correct one is entered and captured. Once the correct password is stolen, the malware uses it with sudo privileges to remove Apple’s quarantine attributes from the AMOS payload, effectively bypassing Gatekeeper security protections before executing the malicious stealer software.
While definitive attribution of the campaign remains unclear, the presence of Russian-language comments discovered within the source code suggests the possible involvement of Russian-speaking cybercriminals. Despite the sophisticated social engineering, the campaign exhibits several technical flaws, including mismatched instructions and inconsistent command delivery, indicating that the attackers may have used hastily assembled infrastructure. The primary danger of this attack lies in its exploitation of user trust in familiar online interactions like CAPTCHAs, turning a routine process into a self-infection vector. Cybersecurity experts urge extreme vigilance, as legitimate websites will almost never require users to manually copy and execute scripts.
Reference:
