Uncovering a Global macOS Malware Campaign

28 Feb 2026

MalwaremacOSCybersecurityWordPressSocialEngineeringMaaSAtomicmacOSStealerClickFixCloudflareTerminalPayloadExfiltration

A recent Malware-as-a-Service (MaaS) campaign uses the "ClickFix" social engineering framework to distribute the Atomic macOS Stealer (AMOS) via compromised high-traffic WordPress sites like web.hypothes.is and unitedwaynca.org. The attack employs a two-stage loader with strict Traffic Delivery System (TDS) filtering, targeting macOS users from residential or cellular IP addresses, and displays a fake Cloudflare verification modal to trick users into executing a Base64 payload via Terminal. The campaign includes multiple stages, with domains like api.aloparatoriuz.com and volcatomix.com serving as initial and secondary payload hosts, while stradisamplix.com and IP 86.54.42.244 handle exfiltration. The attack requires additional user interaction after copying a malicious script to complete the infection.