New Atomic Stealer Campaign Targets macOS via Fake CAPTCHA Pages

Fake Security Checks Used in New Malware Campaign to Target macOS Users with Atomic Stealer

  • New Malware campaign targets macOS users through fake security checks on websites.
  • Attackers use typosquat domains resembling a major U.S. telecom provider to spread Atomic macOS Stealer (AMOS).
  • The campaign applies the “ClickFix” tactic, instructing users to run malicious commands after phony CAPTCHA failures.
  • Russian-speaking Hackers are likely involved based on language found in the malware’s code.
  • Other similar tactics use imitation CAPTCHA pages for delivering additional malware to users on multiple platforms.

Cybersecurity researchers have identified a new malware campaign targeting Apple macOS users by imitating security checks on websites and tricking them into installing malicious software. The campaign relies on fake domains that resemble those of a major U.S. telecom provider, aiming to distribute the Atomic macOS Stealer (AMOS) malware.

- Advertisement -

According to CloudSEK, attackers direct users to fraudulent websites such as “panel-spectrum[.]net” and “spectrum-ticket[.]net” that prompt visitors to complete a fake hCaptcha verification. When users attempt the verification, they receive an error message and instructions to perform an “Alternative Verification.” This action results in copying a malicious command to the user’s clipboard and providing OS-specific guidance for running it.

Security researcher Koushik Pal explains that the script used on macOS systems steals system passwords and downloads the AMOS malware payload. Pal adds, “The script uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.” Russian-language comments in the code suggest Russian-speaking cybercriminals are likely behind the attack.

The campaign demonstrates signs of quick assembly, with mismatched instructions and programming errors found across its delivery sites. In some cases, the websites instructed both Windows and Mac users to use Windows-specific commands, highlighting flaws in the setup. The approach is part of a broader trend, with many recent attacks employing “ClickFix”—a social engineering method that prompts victims to run commands after a staged CAPTCHA failure or security prompt.

Darktrace reports a rise in such campaigns, noting that actors often use spear phishing, drive-by compromises, or abuse trust in known platforms to spread malware. In an April 2025 incident, attackers used ClickFix to deploy payloads for deeper penetration, lateral movement, and data exfiltration.

These campaigns often feature fake versions of familiar CAPTCHA services, like Google reCAPTCHA or Cloudflare Turnstile, and can sometimes be embedded in compromised legitimate sites. According to Daniel Kelley from SlashNext, attackers exploit user “verification fatigue”—the tendency to perform routine security actions without scrutiny—making this technique especially effective.

Payloads delivered through these attacks can include various stealers and remote access trojans (RATs) such as Lumma, StealC, and NetSupport RAT, enabling attackers to obtain sensitive data from infected systems.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

Bitcoin Treasury Companies Face “Death Spiral,” Says VC Report

Few Bitcoin treasury companies are expected to survive long-term market risks, according to venture...

Robinhood Launches Micro Bitcoin, Solana, XRP Futures in the US

Robinhood has launched micro futures contracts for Bitcoin, solana, and XRP in the United...

Bitcoin Soars Toward $112K Amid Dollar Fears, BlackRock Moves

Bitcoin prices have surged close to their all-time high, fueled by increasing investor concerns...

Altcoin ETFs Near Approval as Crypto Funds Eye Solana, XRP, DOGE

Spot Bitcoin and Ethereum ETFs in the U.S. have achieved high levels of success...

XRP Eyes 75% Rally as Whale Accumulation Grows, Faces $2.40 Hurdle

XRP is showing signs of a possible 75% breakout from a symmetrical triangle chart...

Must Read

9 DePIN Programs For Passive Income

Here’s something most people don’t realize: your smartphone and PC can generate passive income with almost no effort.I’m not talking about clicking ads for...