Ahead of Consensus.
Intelligence across tech and capital markets, for investors, policymakers, and business leaders.
3 minute read
A sophisticated malware campaign targeting Apple macOS systems has emerged, using ClickFix social engineering tactics to distribute the Atomic macOS Stealer (AMOS). According to The Hacker News, cybercriminals are exploiting typosquat domains that mimic Spectrum, a major U.S. telecom provider, to trick users into downloading malicious software.
The attack leverages deceptive landing pages resembling legitimate login portals, prompting users to complete fake hCaptcha verification checks. When users click an “Alternative Verification” button, they’re induced to execute malicious commands through their Terminal app, ultimately downloading the AMOS payload.
Russian-speaking cybercriminals are suspected to be behind the campaign, evidenced by Russian language comments found in the malware’s code. The attackers have integrated the stealer with various macOS applications to harvest sensitive data, including credentials and financial information.
The Apple ecosystem’s security landscape has transformed dramatically, with Mac malware incidents surging 73% in 2025. This increase correlates with Apple’s expanding corporate market share, making macOS devices increasingly attractive targets for cybercriminals.
The estimated 100 million Mac users, many in privileged corporate positions, represent a significant potential target pool. The commercialization of Mac-targeting malware, exemplified by BanShee’s $3,000 monthly subscription model, demonstrates the profitable nature of these attacks.
Organizations heavily invested in Apple’s ecosystem must reassess their security protocols and user training. The campaign’s sophisticated combination of social engineering and technical evasion techniques signals the end of macOS’s perceived inherent security advantage.
Cross-platform development in languages like Golang enables threat actors to target macOS with minimal additional effort, presenting significant challenges for Apple’s security strategy.
SlashNext’s Daniel Kelley observes, “Modern internet users are inundated with security prompts and have become conditioned to interact with them quickly, which attackers exploit to gain access to secure systems.”
Darktrace’s analysis reveals ClickFix being used to download non-descript payloads for deeper infiltration and data exfiltration. Cofense has identified related phishing schemes spoofing Booking.com emails to deliver trojans through fake CAPTCHAs.
The AMOS campaign represents a significant evolution in macOS security threats, combining sophisticated social engineering with technical evasion techniques. The rising commercialization and profitability of Mac-targeting malware signals an urgent need for enhanced security measures and user awareness across Apple’s ecosystem.