← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
ClickFix Malware Uses macOS Script Editor to Deliver Atomic Stealer
WHITE AlienVault 2026-04-08 Modified: 2026-04-08
5
IOCs
LOW VOLUME
Jamf Threat Labs discovered a ClickFix-style macOS attack that abuses the applescript:// URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload — bypassing Terminal entirely.
atomicstealerclickfixinfostealerapplescriptmacos
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
AtomicStealer ClickFix
Indicators of Compromise (5)
All FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a 2026-04-08
FileHash-SHA256 3d3c91ee762668c85b74859e4d09a2adfd34841694493b82659fda77fe0c2c44 2026-04-08
URL https://dryvecar.com/cleaner3/update 2026-04-08
URL https://dryvecar.com/curl/04566d1d3f9717b2e7e6b643775d9ca72cef942f6df9ce075cf8c73a1bd2565a 2026-04-08
domain dryvecar.com 2026-04-08
References (1)
↗ https://www.jamf.com/blog/clickfix-macos-script-editor-atomic-stealer/