New ClickFix variant bypasses Apple safeguards with one‑click script execution
Summary
A new variant of ClickFix malware for macOS bypasses security measures by using a single click to execute malicious scripts via the applescript:// URL scheme, launching the native Script Editor. This method circumvents recent Apple protections that scan commands pasted into Terminal, streamlining the infection chain and delivering the Atomic Stealer payload.
IFF Assessment
This is bad news for defenders because attackers are finding new ways to exploit macOS features and bypass security safeguards, making it easier to deliver malware.
Defender Context
Defenders need to be aware of evolving social engineering tactics that leverage legitimate application features like Script Editor and URL schemes to bypass security controls. This trend highlights the importance of educating users about the risks of clicking unfamiliar links and the need for robust endpoint detection and response (EDR) solutions that can identify and block malicious script execution regardless of the initial vector.