{
  "name": "ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer",
  "slug": "clickfix-malware-uses-macos-script-editor-to-deliver-atomic-stealer",
  "description": "Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload \u2014 bypassing Terminal entirely.",
  "published": "2026-04-08T14:49:01.033000+00:00",
  "created_at": "2026-04-08T16:31:43.471000+00:00",
  "modified_at": "2026-04-08T14:31:43+00:00",
  "created_at_opencti": "2026-04-08T16:31:43.471000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "applescript",
    "atomicstealer",
    "clickfix",
    "infostealer",
    "macos"
  ],
  "tags": [
    "2026-04-08",
    "applescript",
    "atomicstealer",
    "clickfix",
    "infostealer",
    "macos"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "734d9d87-3b96-411d-a4a7-132bd82350ee",
        "name": "3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44"
      },
      {
        "id": "c4eaaf0d-6812-46c1-9862-81d369524e91",
        "name": "https://dryvecar.com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a"
      },
      {
        "id": "5f0f4c0d-fd4c-4d52-aec5-a8aee335c839",
        "name": "https://dryvecar.com/cleaner3/update"
      },
      {
        "id": "7105947f-6071-49fe-8892-6a93204d91d6",
        "name": "dryvecar.com"
      },
      {
        "id": "ae304f92-04c3-4cd7-ba23-339004ec3cab",
        "name": "04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a"
      }
    ],
    "attack_patterns": [
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ],
    "malware": [
      {
        "id": "781e1400-e827-446b-b4ab-09af6d90bb0d",
        "name": "AtomicStealer",
        "slug": "atomicstealer"
      },
      {
        "id": "2d2c305e-d8f7-4cb6-8195-6cce5631c6c9",
        "name": "ClickFix",
        "slug": "clickfix"
      }
    ],
    "observables": [
      {
        "id": "b0af4549-b779-4db8-b5c9-400caff35af4",
        "name": "dryvecar.com"
      },
      {
        "id": "22ac6815-84d7-4fd2-979b-7fdd013e7bef",
        "name": "https://dryvecar.com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a"
      },
      {
        "id": "6fcae89c-c1a9-45ed-beec-fb7a2c8f51ea",
        "name": "https://dryvecar.com/cleaner3/update"
      },
      {
        "id": "",
        "name": "3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44"
      },
      {
        "id": "",
        "name": "04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "dryvecar.com"
      }
    ]
  },
  "external_refs": [
    {
      "id": "0de0017e-b97e-4e6f-8dc6-8ebe28758560",
      "standard_id": "external-reference--8e3aff1b-ee45-5c64-ba97-3e2dce2f58d4",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/",
      "hash": null,
      "external_id": null,
      "created": "2026-04-08T16:31:41.880Z",
      "modified": "2026-04-08T16:31:41.880Z",
      "createdById": null
    },
    {
      "id": "e14067bb-9ef0-4532-84dd-35d9d7c65f51",
      "standard_id": "external-reference--a3480b6b-a052-528e-9de7-6ea9a1d178e5",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69d66add921797e6515cf4b1",
      "hash": null,
      "external_id": "69d66add921797e6515cf4b1",
      "created": "2026-04-08T16:31:41.856Z",
      "modified": "2026-04-08T16:31:41.856Z",
      "createdById": null
    }
  ]
}