Surge of ClickFix Campaigns Targets macOS Users, Spreading MacSync Infostealer
A concerning new trend has emerged in the realm of cybersecurity, as malicious ClickFix campaigns are increasingly targeting macOS users and delivering the notorious MacSync infostealer. This development signifies a notable shift in the approach taken by threat actors, particularly in their tactics against users of Apple devices.
Unlike prior attack methods that heavily relied on exploiting software vulnerabilities, the latest wave of ClickFix campaigns has pivoted toward leveraging social engineering techniques. These attacks ingeniously fool users into executing harmful commands through the macOS Terminal, rendering traditional security measures largely ineffective.
Understanding ClickFix Tactics
The ClickFix method is characterized by its deceptive approach in which attackers present victims with step-by-step instructions. This strategy persuades users to copy and run commands that ultimately trigger the installation of malware. Because this attack method hinges on human interaction rather than taking advantage of software vulnerabilities, conventional protective measures—such as phishing-resistant authentication protocols like FIDO2—offer minimal protection.
Historically, campaigns employing ClickFix tactics were predominantly aimed at Windows systems. However, researchers have noted a series of campaigns between November 2025 and February 2026 specifically designed for macOS users, showcasing an alarming evolution in the cyber threat landscape.
Campaign Evolution and Techniques
One of the earliest identified campaigns surfaced in November 2025, utilizing Google malvertising as its primary channel. Users searching for terms like “ChatGPT Atlas” were met with sponsored search results that redirected them to malicious pages hosted on Google Sites. These pages adeptly mimicked legitimate OpenAI branding and urged users to download a fictitious “OpenAI Atlas browser” for macOS.
Upon clicking the deceptive download button, victims received instructions to open Terminal and paste a complex command. Executing this command resulted in the download of a harmful Bash script that prompted the user for their macOS password, ultimately installing a MachO binary containing the MacSync infostealer.
Advanced Social Engineering Tactics
The sophistication of these campaigns intensified further in December 2025, when attackers employed a more advanced social engineering strategy. Instead of simply redirecting users to fraudulent websites, the attackers utilized sponsored Google ads linking to shared conversations hosted on the legitimate ChatGPT platform. These discussions included helpful advice on Mac system optimization and cleanup, cunningly embedding links that redirected unwitting users to fake GitHub-themed landing pages.
Again, victims were instructed to execute terminal commands that discreetly downloaded the MacSync payload into their systems. Researchers uncovered that the attackers had embedded a proprietary tracking infrastructure within the malicious pages to monitor the efficacy of their campaigns. A hidden "stats.php" endpoint was instrumental in gathering visitor details, including IP addresses and geolocation data. This information was then relayed directly to a Telegram bot operated by the attackers.
Telemetry data revealed thousands of interactions with the malicious installation pages within days, indicating the campaign’s extensive reach, even if not every interaction led to an actual infection.
The Next Phase of the Threat
By February 2026, researchers reported the emergence of an enhanced version of the MacSync infostealer. Unlike earlier iterations that operated as standalone MachO binaries, this advanced malware employed a multi-stage loader architecture, designed to outmaneuver security tools.
Once victims executed the malicious terminal command, a Base64-encoded and compressed script was retrieved from a command-and-control (C2) server. Operating silently in the background, this script authenticated itself using API keys and dynamically downloaded additional AppleScript payloads designed to harvest extensive data.
These payloads gathered sensitive information, including:
- Credentials and cookies from Chrome and Firefox browsers.
- macOS Keychain databases, SSH keys, and AWS credentials.
- Files from critical directories such as Desktop, Documents, and Downloads.
- Data from cryptocurrency wallets and browser extensions.
- Telegram Desktop data and Safari cookies.
The compiled data was then packaged into a ZIP archive and exfiltrated in segments to the attackers’ infrastructure. Notably, the malware also attempted to modify cryptocurrency wallet applications like Ledger Live, injecting malicious code aimed at stealing recovery seed phrases.
Increasing Threat Awareness
This ongoing series of ClickFix campaigns underscores a pivotal moment in the evolving cyber threat landscape. Researchers have observed clusters of infections across various regions, including Belgium, India, and both North and South America. Security experts emphasize that as the market share for macOS continues to rise, users are increasingly becoming prime targets for infostealers and other forms of malware.
Techniques like the ClickFix attack exploit human behaviors rather than software vulnerabilities, highlighting the critical importance of user awareness and education as the first line of defense.
Organizations and individual users are urged to avoid executing unknown terminal commands from websites and to validate search results before downloading any software. Furthermore, deploying endpoint protection capable of detecting macOS malware variants such as MacSync is strongly recommended.
In a proactive step, security products have started incorporating detection signatures for the new malware variants—OSX/InfoStl-FQ, OSX/InfoStl-FR, and OSX/InfoStl-FH—while researchers tirelessly monitor the evolving landscape of cyber threats.