New Atomic Stealer Campaign Targets macOS via Fake CAPTCHA Pages

Fake Security Checks Used in New Malware Campaign to Target macOS Users with Atomic Stealer

  • New Malware campaign targets macOS users through fake security checks on websites.
  • Attackers use typosquat domains resembling a major U.S. telecom provider to spread Atomic macOS Stealer (AMOS).
  • The campaign applies the “ClickFix” tactic, instructing users to run malicious commands after phony CAPTCHA failures.
  • Russian-speaking Hackers are likely involved based on language found in the malware’s code.
  • Other similar tactics use imitation CAPTCHA pages for delivering additional malware to users on multiple platforms.

Cybersecurity researchers have identified a new malware campaign targeting Apple macOS users by imitating security checks on websites and tricking them into installing malicious software. The campaign relies on fake domains that resemble those of a major U.S. telecom provider, aiming to distribute the Atomic macOS Stealer (AMOS) malware.

- Advertisement -

According to CloudSEK, attackers direct users to fraudulent websites such as “panel-spectrum[.]net” and “spectrum-ticket[.]net” that prompt visitors to complete a fake hCaptcha verification. When users attempt the verification, they receive an error message and instructions to perform an “Alternative Verification.” This action results in copying a malicious command to the user’s clipboard and providing OS-specific guidance for running it.

Security researcher Koushik Pal explains that the script used on macOS systems steals system passwords and downloads the AMOS malware payload. Pal adds, “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.” Russian-language comments in the code suggest Russian-speaking cybercriminals are likely behind the attack.

The campaign demonstrates signs of quick assembly, with mismatched instructions and programming errors found across its delivery sites. In some cases, the websites instructed both Windows and Mac users to use Windows-specific commands, highlighting flaws in the setup. The approach is part of a broader trend, with many recent attacks employing “ClickFix”—a social engineering method that prompts victims to run commands after a staged CAPTCHA failure or security prompt.

Darktrace reports a rise in such campaigns, noting that actors often use spear phishing, drive-by compromises, or abuse trust in known platforms to spread malware. In an April 2025 incident, attackers used ClickFix to deploy payloads for deeper penetration, lateral movement, and data exfiltration.

These campaigns often feature fake versions of familiar CAPTCHA services, like Google reCAPTCHA or Cloudflare Turnstile, and can sometimes be embedded in compromised legitimate sites. According to Daniel Kelley from SlashNext, attackers exploit user “verification fatigue”—the tendency to perform routine security actions without scrutiny—making this technique especially effective.

Payloads delivered through these attacks can include various stealers and remote access trojans (RATs) such as Lumma, StealC, and NetSupport RAT, enabling attackers to obtain sensitive data from infected systems.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest

Cudis Smart Ring Rewards Healthy Habits With Crypto on Solana

Cudis has introduced an AI-powered smart ring and launched a new CUDIS token to reward users for tracking health habits. The CUDIS token operates on...

CPAs Urged to Boost Crypto Knowledge as Regulations Evolve in 2025

CPAs are advised to update their knowledge of cryptoassets due to recent regulatory progress and increased adoption.New federal and state rules, spot crypto ETFs,...

Wandercraft Unveils Calvin 40, a Headless Humanoid for Industry

Wandercraft, a French company known for medical exoskeletons, has created a new humanoid robot called Calvin 40. Calvin 40 was built in 40 days and...

Coinbase, BiT Global Settle Lawsuit Over wBTC Delisting Dispute

Coinbase and BiT Global ended their legal dispute over the wrapped Bitcoin (wBTC) token delisting.BiT Global agreed to dismiss its lawsuit against Coinbase permanently,...

Ethereum Pectra Upgrade Slashes Blob Costs, Boosts L2 Efficiency

Ethereum's Pectra upgrade has drastically lowered blob transaction costs from around $16,000 per day to fractions of a penny. Layer-2 networks now operate much more...

Must Read

What Is the Dencun Upgrade for Ethereum?

The Dencun Upgrade for Ethereum is poised to revolutionize the blockchain landscape, offering improved scalability, efficiency, and groundbreaking features. Set to launch at the...