MacSync macOS Infostealer Using ClickFix-Style Terminal Paste Lure to Steal Cryptocurrency Data
Security researchers reported a macOS infostealer dubbed MacSync being distributed as a low-cost Malware-as-a-Service (MaaS), primarily targeting cryptocurrency users via a ClickFix-style social engineering lure. The campaign uses phishing infrastructure (including domains mimicking Microsoft login pages) to redirect victims to a fake macOS cloud storage installer site that instructs users to “install” by copying and pasting a single Terminal command. This approach relies on user execution rather than a signed app package, allowing the infection chain to bypass macOS protections such as Gatekeeper and notarization.
Technical analysis describes a script-based, multi-stage infection chain: the pasted one-liner fetches a remote script that installs a daemonized Zsh loader which detaches from the Terminal session and runs in the background, then retrieves additional payloads (including AppleScript) to perform data theft. Beyond credential and wallet data harvesting, reporting indicates MacSync can persist and expand impact by trojanizing Electron-based cryptocurrency applications (e.g., Ledger Live and Trezor Suite) by overwriting components to present convincing phishing flows designed to capture PINs and recovery phrases, potentially triggering theft well after the initial compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Analysis reveals credential theft and trojanized crypto wallet apps
Technical findings showed MacSync stealing browser credentials, wallet data, Keychain contents, sensitive files, and repeatedly prompting for the macOS password via fake system dialogs. Researchers also found it could trojanize Electron-based wallet applications such as Ledger Live, Trezor Suite, Ledger, and Trezor to present phishing-style recovery and PIN prompts, including delayed harvesting weeks after infection.
CloudSEK documents MacSync as a macOS MaaS infostealer campaign
Researchers reported MacSync as a newly observed macOS infostealer sold as a low-cost Malware-as-a-Service offering, primarily targeting cryptocurrency users. Their analysis described a multi-stage, script-based infection chain that bypassed Gatekeeper, notarization, and signature verification by having victims execute the initial command themselves.
Researchers uncover MacSync phishing infrastructure and fake installer lures
While investigating infrastructure that mimicked Microsoft login pages, researchers identified a campaign redirecting victims to fake cloud-storage or download portals that delivered the MacSync malware. The operation used ClickFix-style social engineering to persuade users to paste a malicious one-liner into Terminal.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
MacSync macOS Infostealer Leverage ClickFix-style Attack to Trick Users Pasting a Single Terminal Command
cybersecuritynews.com
Open sourceMac Users Beware: "MacSync" Malware Tricks You Into Hacking Yourself
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported **three ClickFix campaigns** that used social engineering rather than software exploitation to infect **macOS** users with the **MacSync** infostealer. The activity evolved over several months, beginning with fake sponsored search results for an **OpenAI Atlas** browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared **ChatGPT** conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open **Terminal** and paste commands, allowing the malware to be installed through user action instead of a traditional exploit. The most recent campaign introduced a more advanced **MacSync** variant with **multi-stage loaders**, **dynamic AppleScript payloads**, and **in-memory execution** intended to improve evasion and persistence. Reporting indicates the later activity targeted users in **Belgium, India, and parts of North and South America**, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting **ClickFix** lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
May 8, 2026
Microsoft Warns macOS Infostealer Campaigns Using ClickFix Lures, Malicious DMGs, and Python Stealers
Microsoft reported that **information-stealing malware activity is expanding from Windows to macOS**, driven by campaigns observed since late 2025 that rely on social engineering and cross-platform tooling. The activity includes **ClickFix-style prompts** and **malicious DMG installers** that deliver macOS-focused infostealer families such as **Atomic macOS Stealer (AMOS)**, **MacSync**, and **DigitStealer**, with operators leveraging **fileless execution**, **native macOS utilities**, and **AppleScript automation** to evade defenses and automate collection. Initial access commonly starts with **malicious search ads (e.g., Google Ads)** that redirect users to fake sites impersonating legitimate tools and then trick victims into running “fix” steps or installing trojanized software. The malware is assessed to target high-value data including browser credentials and session cookies, **iCloud Keychain** contents, crypto wallet data, and **developer secrets**; Microsoft also highlighted growing use of **Python-based stealers** distributed via phishing for rapid adaptation across heterogeneous environments, citing **PXA Stealer** (linked to Vietnamese-speaking actors) as an example used in late-2025 campaigns with persistence mechanisms such as registry `Run` keys or scheduled tasks and **Telegram** used for command-and-control.
Mar 21, 2026
macOS Malware Campaigns Shift Toward Infostealers and Social Engineering to Bypass Apple Protections
Threat actors are increasingly targeting macOS users with **infostealers** and distribution-as-a-service models, reflecting a broader “gold rush” in Apple-focused malware development. Reporting highlights macOS stealers targeting browser credentials and cryptocurrency assets (including seed phrases) and notes tactics to evade Apple controls such as obtaining valid Apple developer signatures to bypass *Gatekeeper*; one cited example is *MacSync* being notarized and signed under Team ID `GNJLS3UYZ4`. The same reporting describes ecosystem-scale enablement, including large-scale compromise of WordPress sites for distribution and novel command-and-control approaches such as using blockchain smart contracts (e.g., on **BNB Smart Chain**), alongside paid-traffic abuse (e.g., promoting malicious AI chat content via ads) to push stealer payloads. Separately, a Darktrace-described investigation details a **multi-stage macOS malware** campaign that prioritizes *social engineering* over exploitation to defeat Apple’s **Transparency, Consent, and Control (TCC)** privacy framework. Victims are lured via phishing to open an AppleScript masquerading as a document (`Confirmation_Token_Vesting.docx.scpt`), which displays a fake “Compatibility” error and instructs the user to launch a “Compatibility Wizard” (e.g., using a keyboard shortcut) that effectively tricks them into authorizing execution and granting access. Together, the reporting indicates macOS threats are increasingly succeeding by combining credential/crypto theft objectives with user-prompt manipulation and trust-abuse techniques rather than relying on kernel or sandbox escapes.
Mar 21, 2026