{ "Event": { "analysis": "1", "date": "2026-04-08", "extends_uuid": "", "info": "[Threat Intel] ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer", "protected": false, "publish_timestamp": "1776720093", "published": true, "threat_level_id": "2", "timestamp": "1776720051", "uuid": "604585c5-1663-4997-b60d-e2ed9ff57a65", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#680082", "local": false, "name": "ms-caro-malware:malware-platform=\"MacOS\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775703611", "to_ids": false, "type": "link", "uuid": "823a071a-ad75-484b-9fdd-4d86058c3702", "value": "https://www.jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775703611", "to_ids": false, "type": "text", "uuid": "a8db0dbe-ae06-42ac-bec4-2a07fbd4f2f0", "value": "Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload \u2014 bypassing Terminal entirely." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775703611", "to_ids": false, "type": "text", "uuid": "23c449ed-2d8e-4afd-82e3-95d5c9bf7620", "value": "Name: ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer\nAuthor: AlienVault\nAdversary: \nTags: [\"atomicstealer\", \"clickfix\", \"infostealer\", \"applescript\", \"macos\"]\nTgtd countries: []\nMlwr families: [\"AtomicStealer\", \"ClickFix\"]\nAttack_ids: [\"T1059\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776720030", "to_ids": true, "type": "sha256", "uuid": "36b533cc-0e56-4a77-b66b-43e897999ec8", "value": "04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776720051", "to_ids": true, "type": "sha256", "uuid": "0413b9ce-fdbf-4cda-ae88-143651440752", "value": "3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776691117", "to_ids": true, "type": "url", "uuid": "f42c8fe9-b021-49db-b373-4452f71c9e24", "value": "https://dryvecar.com/cleaner3/update", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043883", "to_ids": true, "type": "url", "uuid": "747132b8-b535-47d3-89e3-ffca288ba1b9", "value": "https://dryvecar.com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043904", "to_ids": true, "type": "domain", "uuid": "50624593-6b1e-446d-b118-3adceb5fbb21", "value": "dryvecar.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043926", "to_ids": true, "type": "url", "uuid": "f8f24210-50ae-4e4d-b518-31ade061ecd2", "value": "https://storage-fixes.squarespace.com/?gad_source=1", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776043947", "to_ids": true, "type": "url", "uuid": "d82f8754-4577-437a-9f81-4636e852f845", "value": "https://cleanupmac.mssg.me/?gad_source=1&gad_campaignid=23708793071&gbraid=0AAAABBS8jKrbkIiVdpqodGRoYiYNaByHP&gclid=EAIaIQobChMI2uaJ-_TJkwMVpqJQBh1N6yRoEAAYBCAAEgLXrfD_BwE", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }