Ransomware gangs once thrived on infected email attachments and bogus invoices, but security-savvy users and hardened mail gateways have weakened those tactics. Attackers are now focusing on a subtler trick that targets the small checkbox labeled “I’m not a robot” that most people click without thinking.
A widespread campaign known as MacReaper has compromised more than 2,800 legitimate websites and redirects visitors to an infection process designed specifically for Apple computers. The operation relies on visual trust signals, including a convincing fake of Google’s reCAPTCHA, along with hidden clipboard code that ends with the installation of Atomic macOS Stealer malware, a data-harvesting infostealer distributed through Telegram.
Join the FREE “CyberGuy Report”: Get my expert tech tips, critical security alerts and exclusive deals, plus instant access to my free “Ultimate Scam Survival Guide” when you sign up!
A woman working on her laptop (Kurt “CyberGuy” Knutsson)
How does the attack unfold?
When a Mac user visits one of the compromised websites, they don’t see the page they were expecting. Instead, the site displays a full-screen imitation of Google’s familiar reCAPTCHA box.
This fake reCAPTCHA appears harmless, simply asking the user to click “I’m not a robot.” However, when the user clicks the box, a hidden command is silently copied to their clipboard. Immediately afterward, the page displays a friendly message, complete with familiar macOS keyboard shortcut visuals, explicitly instructing the user to open Terminal and paste what they’ve just copied. If the user follows these instructions, the command downloads and runs the malicious file known as Atomic macOS Stealer (AMOS).
This trick is specifically targeted at Mac users. The website checks the visitor’s operating system and only activates the attack if it detects macOS. For Windows or Linux users, the site behaves normally. Researchers have dubbed this infection method “ClickFix,” referencing the single click that initiates the attack chain.
At the center of this campaign is AMOS, a sophisticated piece of malware that has become notorious in cybercrime circles. AMOS is available for rent on Telegram, with some versions costing attackers up to $3,000 per month. Once installed, AMOS can steal a wide array of sensitive data: it can extract Wi-Fi and app passwords stored in Keychain, collect browser cookies and autofill data, list system information and scan through personal folders such as Desktop and Documents. It is also capable of identifying and targeting more than 50 types of cryptocurrency wallets.
Fake reCAPTCHA (Cyber Security News) (Kurt “CyberGuy” Knutsson)
THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION
Domains and sites compromised in the MacReaper campaign
Several cybersecurity reports have identified specific domains involved in the attack infrastructure. Notably, domains such as technavix.cloud and salorttactical.top have been highlighted as part of the malicious network distributing AMOS. The campaign’s initial discovery traced back to a compromised Brazilian news site, agencia2.jornalfloripa.com.br, which served as an early infection vector before the operation expanded to more than 2,800 legitimate websites worldwide.
Macs aren’t as secure as Apple wants you to believe
MacReaper challenges two widely held beliefs. The first is that everyday CAPTCHA checks are just harmless speed bumps. The second is that macOS provides a level of built-in security that keeps most attackers at bay. In reality, a single click can expose Keychain credentials, active browser sessions and cryptocurrency wallets.
These are exactly the kinds of targets that attract credential-stuffing groups and profit-driven cybercriminals. Because the attack is triggered by the user, many network monitoring tools treat the traffic as normal, leaving security teams with little to investigate. In environments where Macs and Windows machines share identity systems, one compromised Mac can open access to single sign-on portals, cloud storage and even production codebases.
A woman working on her laptop (Kurt “CyberGuy” Knutsson)
SPOTIFY PLAYLISTS ARE BEING HIJACKED TO PROMOTE PIRATED SOFTWARE AND SCAMS
6 ways you can stay safe from MacReaper attack
To protect yourself from the evolving threat of the MacReaper attack, which continues to target users through sophisticated social engineering tactics, consider implementing these six essential security measures.
1) Be skeptical of CAPTCHA prompts: Legitimate CAPTCHA tests never require you to copy commands or paste anything into Terminal. If a website instructs you to do this, it’s likely a scam. Close the page immediately and avoid interacting with it.
2) Don’t click links from unverified emails and use strong antivirus software: Many MacReaper attacks start with phishing emails that impersonate trusted services. Always verify the sender before clicking on links. If an email seems urgent or unexpected, go directly to the company’s official website instead of clicking any links inside the email.
The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
3) Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone, in addition to your password.
4) Keep devices updated: Regularly updating your operating system, browser and security software ensures you have the latest patches against known vulnerabilities. Cybercriminals exploit outdated systems, so enabling automatic updates is a simple but effective way to stay protected.
5) Monitor your accounts for suspicious activity and change your passwords: If you’ve interacted with a suspicious website, phishing email or fake login page, check your online accounts for any unusual activity. Look for unexpected login attempts, unauthorized password resets or financial transactions that you don’t recognize. If anything seems off, change your passwords immediately and report the activity to the relevant service provider. Also, consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed password managers of 2025 here.
6) Invest in a personal data removal service: Consider using a service that monitors your personal information and alerts you to potential breaches or unauthorized use of your data. These services can provide early warning signs of identity theft or other malicious activities resulting from MacReaper or similar attacks. While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time. Check out my top picks for data removal services here.
MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC
Kurt’s key takeaway
MacReaper makes it clear that the most durable exploits aren’t zero-days but borrowed moments of trust, an authentic-looking CAPTCHA, a helpful-sounding fix, a clipboard that does what it’s told. As Apple tightens the technical screws with Rapid Security Responses and notarization, expect adversaries to double down on such psychological levers. The counter-strategy is to hard-bake healthy skepticism into user behavior and to instrument Macs with the same telemetry layers enterprises already expect from Windows. Security, in other words, has finally become a platform-agnostic muscle, and complacency is the riskiest operating system of all.
Do you think tech companies are doing enough to stop malware like MacReaper? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved.
