# New macOS Stealer Campaign Exploits Script Editor in ClickFix Attack Chain


A newly discovered macOS malware campaign is leveraging the operating system's built-in Script Editor application as part of a sophisticated ClickFix social engineering attack, researchers have identified. The campaign represents an evolution in macOS-targeted threats, combining social engineering tactics with native system tools to evade detection and establish persistence on compromised systems.


## The Threat


Security researchers have uncovered evidence of an active malware campaign targeting macOS users through fake browser notification popups—a technique known as ClickFix. The attack chain culminates in the execution of malicious AppleScript code via macOS's native Script Editor application, allowing attackers to deploy stealer malware capable of harvesting sensitive credentials and browsing data from infected systems.


Key characteristics of the campaign include:


  • Native tool exploitation: Uses Script Editor (AppleScript) rather than traditional executable files
  • Social engineering focus: Relies on convincing fake notifications to drive user interaction
  • Credential theft: Targets browser passwords, autofill data, and cryptocurrency wallet information
  • Lower detection rates: Abuse of legitimate Apple tools helps bypass traditional endpoint security

    • The campaign has been observed targeting macOS users globally, with initial access vectors appearing to be compromised websites and malicious advertisements.


    ## Background and Context


    ClickFix attacks are not new, but their application to macOS represents a notable shift in threat actor tactics. The technique typically involves displaying fake system notifications claiming that a browser or application requires an urgent update or has encountered a security issue. When users click the notification, they are redirected to attacker-controlled landing pages or prompted to execute commands.


    This particular campaign adds a layer of sophistication by leveraging AppleScript execution, which is a legitimate macOS feature that allows users to automate tasks using Apple's scripting language. By using Script Editor to execute malicious code, attackers achieve several tactical advantages:


    1. Reduced visibility: AppleScript execution through native tools is less likely to trigger security alerts

    2. Legitimacy: Script Editor is a trusted system application, lowering user suspicion

    3. Persistence potential: AppleScript can establish scheduled tasks and login hooks for maintaining access

    4. Minimal artifact footprint: Compared to downloaded binaries, script-based attacks leave fewer detectable traces


    This attack pattern reflects a broader trend in macOS-targeted threats: rather than competing with Apple's security infrastructure, threat actors increasingly focus on circumventing it through social engineering and exploitation of legitimate system features.


    ## Technical Details


    Attack Flow:


    The infection chain typically follows these steps:


    1. Initial contact: Victim visits a compromised website or clicks a malicious advertisement

    2. Notification display: Browser displays a fake system notification (appearing to come from Chrome, Safari, or macOS itself)

    3. Social engineering: Notification claims the system is at risk or that software requires immediate updates

    4. User interaction: Victim clicks the notification, which directs them to an attacker-controlled page

    5. Command prompt: User is instructed to run a command in Terminal or open a file

    6. AppleScript execution: The command executes a script through Script Editor, downloading and running the stealer payload

    7. Malware installation: Stealer malware establishes itself on the system


    Payload capabilities:


    Once executed, the malware performs functions typical of info-stealing trojans:


    | Capability | Purpose |

    |-----------|---------|

    | Credential harvesting | Extracts passwords from browser keychains |

    | Cookie theft | Steals session cookies for account hijacking |

    | Autofill data | Captures saved credit cards and payment information |

    | Cryptocurrency targets | Looks for wallet recovery phrases and private keys |

    | System reconnaissance | Gathers hardware, OS, and installed software details |


    The use of AppleScript allows the malware to request system permissions through legitimate-appearing dialogs, increasing the likelihood that users will grant the required access.


    ## Implications for Organizations


    For Enterprise Security Teams:


  • macOS threat landscape: This campaign underscores that macOS is no longer a secondary security concern; sophisticated, multi-stage threats are actively targeting Apple's platform
  • Detection challenges: Traditional file-based detection may miss script-executed malware; behavioral detection and network monitoring become critical
  • Social engineering risk: Employee education around ClickFix tactics is as important as technical controls
  • Breach potential: Credential theft from macOS systems can provide lateral movement into corporate networks, particularly in BYOD environments

    • For Endpoint Protection:


    Organizations relying on traditional antivirus solutions may experience gaps in detection. Modern EDR (Endpoint Detection and Response) solutions with behavioral analysis capabilities are better positioned to identify script execution anomalies and suspicious credential access patterns.


    ## Recommendations


    For Individual Users:


  • Skepticism toward notifications: Treat unexpected browser notifications with suspicion, particularly those claiming urgent action is needed
  • Verify before acting: If a notification appears, navigate directly to the official website rather than clicking the notification link
  • Disable suspicious notifications: Review browser notification permissions and revoke them for unfamiliar sites
  • Monitor AppleScript execution: Be cautious about scripts downloaded from the internet; avoid running scripts in Terminal without understanding their contents
  • Keep systems updated: Ensure macOS and all applications are fully patched to benefit from security improvements

    • For Organizations:


    1. User awareness training: Conduct phishing and ClickFix-focused security training, with specific emphasis on macOS threats

    2. Browser hardening: Consider browser isolation technologies for high-risk users and restrict notification permissions

    3. EDR deployment: Deploy endpoint detection and response solutions capable of monitoring script execution and unusual process behavior

    4. Credential management: Enforce password managers and disable browser autofill for sensitive sites

    5. Network segmentation: Isolate critical systems and credentials to limit lateral movement if compromise occurs

    6. Incident response planning: Develop specific procedures for responding to potential credential theft incidents


    ## Conclusion


    The ClickFix campaign targeting macOS represents a maturation of threat actor capabilities against Apple's platform. By leveraging native tools like Script Editor and combining them with effective social engineering, attackers are achieving credential theft at scale while maintaining relatively low detection profiles.


    Organizations and individual users must recognize that macOS security requires the same level of vigilance as Windows environments. A defense-in-depth approach combining technical controls, network monitoring, and user education remains the most effective strategy against these evolving threats.