Skip to main content
PhishEye

ClickFix Drops Atomic Stealer via Fake DirBuster

10 min read

ClickFix Drops Atomic Stealer via Fake DirBuster
Contents

While looking for a clean copy of DirBuster — a staple web-app pentesting tool — a download link bounced through a redirect and landed on filehazelrocket[.]sbs, a domain registered barely a week earlier. The page was dressed up as a GitHub project, complete with a forged "Verified Publisher" badge and a friendly one-click install box. There was no installer to download. Instead, the page asked the visitor to copy a single line into Terminal "to finish the installation."

That copy-and-paste step was the attack. It is a textbook ClickFix campaign, and the payload it delivers is Atomic Stealer (AMOS) — one of the most active macOS infostealers in circulation. No exploit, no vulnerability, no signed installer for Gatekeeper to quarantine. Just a convincing page and a command the victim runs themselves.

This is squarely the kind of throwaway impersonation infrastructure PhishEye tracks: a brand-new lookalike domain, hidden behind Cloudflare, masquerading as a trusted developer project to harvest credentials. Here is how the campaign works, the indicators to block, and how to respond if a command has already been pasted.

At a glance
Technique ClickFix (clipboard hijack → manual Terminal execution)
Payload Atomic Stealer (AMOS) — macOS infostealer
Lure Fake DirBuster "GitHub" page with a forged "Verified Publisher" badge
Staging domain filehazelrocket[.]sbs (registered ~10 days prior, Cloudflare-proxied)
Why it slips past defenses The user runs the command, so Gatekeeper and download reputation never apply
Primary targets Developers and security engineers — high-value credentials

ClickFix: no exploit, just a copy-and-paste

ClickFix is a social-engineering technique that convinces a user to run a malicious command on their own machine. The packaging varies — a fake CAPTCHA ("verify you are human"), a bogus "your browser needs to be updated" error, or, as here, a phony software-install step — but the mechanism is consistent: a web page silently rewrites the clipboard, then tells the visitor to paste and run what is now sitting there.

The genius of the trick is that it sidesteps almost every automated control. There is no malicious download for a browser or EDR agent to score, no macro to block, no signed bundle for Gatekeeper to check. The operating system sees a user voluntarily typing a command into their own shell. Microsoft, Group-IB, and Proofpoint have all flagged ClickFix as one of the fastest-growing initial-access techniques precisely because it moves the execution decision onto the human.

The lure: a fake DirBuster "GitHub" page

Developers are a deliberate choice of victim. They install command-line tooling constantly, they are comfortable pasting into a terminal, and their machines hold the keys to source code, cloud accounts, and production infrastructure. Wrapping the lure in a security tool like DirBuster is on-theme enough that a hurried engineer does not blink.

The page leaned on three trust cues:

  • A GitHub-style layout — repo header, README pane, install instructions — to borrow the platform's credibility without being on github.com.
  • A forged "Verified Publisher" badge. Badges are images. Anyone can paste a green checkmark next to a name; it proves nothing.
  • A "Terminal installation" block presenting the command as the normal, modern way to install the tool on macOS.

What it did not have was the only thing that matters: a real GitHub URL. The actual project lives on github.com; the install instructions lived on a one-week-old .sbs domain.

Anatomy of the one-liner

The "installation command" looked like routine developer boilerplate:

echo "<long base64 string>" | openssl base64 -d -A | zsh

Read left to right, it does three things: print a Base64 blob, decode it with openssl, and pipe the decoded script straight into zsh for execution. The Base64 wrapper is pure obfuscation — it hides the real script from a glance and from naive clipboard inspection. Nothing ever touches disk as a recognizable file, so there is no download for Gatekeeper to quarantine and no app bundle to flag as unsigned.

The single most useful rule here: never paste a command from a web page into your terminal. Legitimate tools ship through a package manager (brew install …), a signed installer, or a release on the project's real domain. A site that needs you to decode and execute a blob "to finish installing" is the attack, not the install.

ClickFix to Atomic Stealer attack flow From a search for "DirBuster download" to credential theft 1 · Search Looks for a DirBuster download redirect fires 2 · Fake page filehazelrocket[.]sbs fake GitHub repo forged Verified badge 3 · Clipboard "Copy" silently writes the malicious one-liner 4 · Paste + run base64 -d | zsh executes in Terminal Gatekeeper bypassed 5 · AMOS keychain · cookies wallets · SSH · AWS exfiltrated No exploit and no vulnerability are involved — the only "patch" is not pasting the command. Delivery endpoint pattern observed on the staging host: /ss3/?c=*
Figure 1. The ClickFix chain. Every automated control is skipped because the victim performs the execution step by hand.

What gets installed: Atomic Stealer (AMOS)

Atomic Stealer is a commodity macOS infostealer sold on a malware-as-a-service basis and documented by Jamf, Sophos, and Microsoft. Once the script runs, AMOS sweeps the machine for anything that can be sold or reused:

Target What the attacker gets
iCloud Keychain Saved passwords, secure notes, certificates
Browser data Saved passwords, autofill, and live session cookies (instant account takeover)
Cryptocurrency wallets Seed phrases and keys from 150+ wallet apps and extensions
SSH keys ~/.ssh private keys for servers and Git remotes
Cloud credentials AWS access keys, often straight from ~/.aws
Project secrets .env files holding API tokens, database URLs, and signing keys
Chat tokens Discord and Telegram session tokens

For an individual, that is a bad day. For a developer, it can be an organizational breach. A single set of stolen AWS keys, an SSH key into a Git remote, or a .env full of production tokens turns one compromised laptop into a foothold across an entire estate. Stolen session cookies are especially nasty: they let an attacker resume an authenticated session and skip multi-factor authentication entirely.

The infrastructure behind the lure

The staging domain shows the now-familiar fingerprint of disposable criminal infrastructure:

  • A newly registered .sbs domain — cheap, high-volume, low-reputation TLDs are favored because they rotate faster than blocklists update.
  • Cloudflare in front, which both masks the true origin server and lends a thin layer of legitimacy.
  • A consistent delivery endpoint pattern, /ss3/?c=*, used to serve the payload.
  • An IP address with a documented abuse history tied to phishing and cryptocurrency-wallet impersonation (SafePal, Atomic Wallet, Trezor, ChangeNOW) and assorted financial-service scams.

In other words, this was not a one-off page. It is one node in a reusable kit, the same way the lookalike domains and credential-harvesting kits PhishEye maps for phishing crews get redeployed across hundreds of throwaway hosts.

MITRE ATT&CK mapping

Tactic Technique In this campaign
Initial Access Phishing: Spearphishing Link (T1566.002) Redirect to the fake DirBuster page
Execution User Execution: Malicious Copy and Paste (T1204.004) The pasted openssl/base64/zsh one-liner
Execution Command and Scripting Interpreter: Unix Shell (T1059.004) zsh runs the decoded script
Defense Evasion Deobfuscate/Decode Files or Information (T1140) Base64 wrapper hides the script
Collection Clipboard Data (T1115) The page hijacks the clipboard
Credential Access Credentials from Password Stores (T1555); Steal Web Session Cookie (T1539); Unsecured Credentials (T1552) Keychain, cookies, SSH/AWS keys, .env

Detection and response

Block and detect. Add the indicators below to DNS, proxy, and EDR blocklists. The highest-signal behavioral detection is a shell process spawned from a base64/openssl decode pipeline — for example openssl … base64 -d feeding zsh, bash, or sh. That pattern is rare in legitimate developer workflows and is worth a high-priority alert across managed Macs.

Verify the source, every time. Install from a package manager or the project's real domain on github.com. A "Verified Publisher" badge is decorative — confirm the actual repository owner and URL. Pasting a suspect link into a phishing URL checker takes seconds and flags throwaway TLDs, lookalike hosts, and missing HTTPS before you ever visit.

If you already pasted the command, assume compromise. Disconnect the machine from the network, then from a known-clean device rotate everything that lived on it: keychain and browser-stored passwords, SSH keys, AWS and other cloud keys, every secret in any .env, and Discord/Telegram sessions. Revoke active sessions to invalidate stolen cookies, move any crypto to a fresh wallet, and reimage the Mac rather than trusting cleanup.

Indicators of compromise (IoCs)

IoCs are defanged with [.]. Re-fang by replacing [.] with . before loading into tooling.

Type Indicator
Domain filehazelrocket[.]sbs
IPv4 188.114.96[.]3 (Cloudflare)
IPv6 2a06:98c1:3121::3
Delivery endpoint /ss3/?c=*
TLD signal newly registered .sbs behind Cloudflare

Execution pattern to hunt for in shell history and EDR telemetry:

echo "<base64>" | openssl base64 -d -A | zsh

How PhishEye fits in

ClickFix is social engineering, so the durable defense is removing the bait before a developer ever reaches it. That is brand-protection work: the lure here was a fake project page impersonating a trusted tool, hosted on a disposable lookalike domain.

PhishEye continuously discovers lookalike and impersonation domains, fake download and landing pages, and the throwaway infrastructure attackers stage them on — then ships evidence and runs coordinated takedowns across registrars, hosts, and platforms. Pair that with dark web and AI monitoring to catch the stolen credentials and brand mentions that surface after a successful steal, and you shorten both halves of the timeline: the lure's lifespan and the window in which leaked secrets are usable.

Frequently asked questions

Is ClickFix a vulnerability or an exploit? Neither. There is no CVE and nothing to patch on the victim's machine. ClickFix is social engineering — the malicious code runs only because the user copies it from a web page and executes it themselves.

Does macOS Gatekeeper stop this? No. Gatekeeper checks the signature and notarization of downloaded applications. ClickFix never downloads an app; the script arrives as text on the clipboard and runs in your shell, so Gatekeeper has nothing to evaluate.

How can I tell a fake download page from the real one? Trust the URL, not the layout. The real project lives on github.com or the vendor's own domain; this lure lived on a week-old .sbs domain. Be suspicious of any "Verified Publisher" badge (they are trivially faked) and of any install step that asks you to paste a command into Terminal. When unsure, run the link through a URL red-flag checker first.

What does Atomic Stealer take? iCloud Keychain entries, browser passwords and session cookies, 150+ cryptocurrency wallets, SSH keys, AWS and other cloud credentials, .env secrets, and Discord/Telegram tokens.

I already ran the command — what should I do first? Disconnect from the network and, from a clean device, rotate every credential the Mac held (passwords, SSH keys, cloud keys, .env secrets), revoke active sessions to kill stolen cookies, and reimage the machine. Treat any crypto wallet on it as compromised and move funds to a new one.

← Back to blog