- New Malware campaign targets macOS users through fake security checks on websites.
- Attackers use typosquat domains resembling a major U.S. telecom provider to spread Atomic macOS Stealer (AMOS).
- The campaign applies the “ClickFix” tactic, instructing users to run malicious commands after phony CAPTCHA failures.
- Russian-speaking Hackers are likely involved based on language found in the malware’s code.
- Other similar tactics use imitation CAPTCHA pages for delivering additional malware to users on multiple platforms.
Cybersecurity researchers have identified a new malware campaign targeting Apple macOS users by imitating security checks on websites and tricking them into installing malicious software. The campaign relies on fake domains that resemble those of a major U.S. telecom provider, aiming to distribute the Atomic macOS Stealer (AMOS) malware.
According to CloudSEK, attackers direct users to fraudulent websites such as “panel-spectrum[.]net” and “spectrum-ticket[.]net” that prompt visitors to complete a fake hCaptcha verification. When users attempt the verification, they receive an error message and instructions to perform an “Alternative Verification.” This action results in copying a malicious command to the user’s clipboard and providing OS-specific guidance for running it.
Security researcher Koushik Pal explains that the script used on macOS systems steals system passwords and downloads the AMOS malware payload. Pal adds, “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.” Russian-language comments in the code suggest Russian-speaking cybercriminals are likely behind the attack.
The campaign demonstrates signs of quick assembly, with mismatched instructions and programming errors found across its delivery sites. In some cases, the websites instructed both Windows and Mac users to use Windows-specific commands, highlighting flaws in the setup. The approach is part of a broader trend, with many recent attacks employing “ClickFix”—a social engineering method that prompts victims to run commands after a staged CAPTCHA failure or security prompt.
Darktrace reports a rise in such campaigns, noting that actors often use spear phishing, drive-by compromises, or abuse trust in known platforms to spread malware. In an April 2025 incident, attackers used ClickFix to deploy payloads for deeper penetration, lateral movement, and data exfiltration.
These campaigns often feature fake versions of familiar CAPTCHA services, like Google reCAPTCHA or Cloudflare Turnstile, and can sometimes be embedded in compromised legitimate sites. According to Daniel Kelley from SlashNext, attackers exploit user “verification fatigue”—the tendency to perform routine security actions without scrutiny—making this technique especially effective.
Payloads delivered through these attacks can include various stealers and remote access trojans (RATs) such as Lumma, StealC, and NetSupport RAT, enabling attackers to obtain sensitive data from infected systems.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Big Tech Firms Explore Stablecoins to Cut Payment Processing Fees
- Dogecoin Drops 6% Amid Elon Musk and Donald Trump Public Spat
- Elon Musk Loses $150B as Trump Split and DOGE Crash Hit Fortune
- Crypto Rollercoaster: Circle Soars to IPO as HyperLiquid Trader Falls
- Shadow AI Poses Growing Enterprise Data Loss and Security Risks