ClickFix Campaigns Deliver MacSync Infostealer to macOS Users
Researchers reported three ClickFix campaigns that used social engineering rather than software exploitation to infect macOS users with the MacSync infostealer. The activity evolved over several months, beginning with fake sponsored search results for an OpenAI Atlas browser download hosted on fraudulent pages, then shifting to malicious workflows that abused shared ChatGPT conversations and GitHub-themed landing pages to make the infection chain appear legitimate. In each case, victims were instructed to open Terminal and paste commands, allowing the malware to be installed through user action instead of a traditional exploit.
The most recent campaign introduced a more advanced MacSync variant with multi-stage loaders, dynamic AppleScript payloads, and in-memory execution intended to improve evasion and persistence. Reporting indicates the later activity targeted users in Belgium, India, and parts of North and South America, while researchers said it remains unclear whether all three campaigns were conducted by the same threat actor. The findings underscore a broader trend of attackers adapting ClickFix lures for macOS, using trusted platforms, sponsored links, and fake AI-tool installers to steal credentials and other sensitive data while bypassing file-based defenses by persuading users to execute the attack themselves.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Microsoft details three macOS ClickFix infostealer variants and Apple mitigations
On 2026-05-06, Microsoft reported an evolving macOS ClickFix campaign using fake troubleshooting and utility pages to trick users into pasting Terminal commands, documenting helper, loader, and script-install variants active from late January through April 2026. The report said the activity delivered SHub Stealer and related payloads, used persistence via LaunchAgents and LaunchDaemons, included Telegram-based C2 fallback, and noted Apple had updated XProtect and added Terminal paste-blocking protections in macOS 26.4 and later.
Lazarus uses Mach-O Man ClickFix lures to deploy macrasv2 on macOS
On 2026-05-01, SC Media reported that North Korea-linked Lazarus Group was targeting high-value fintech and cryptocurrency professionals on macOS with a ClickFix campaign using fake Teams, Zoom, and Google Meet pages. Victims were tricked into running Terminal commands that launched the Mach-O Man malware kit, which staged fake macOS apps, harvested credentials and host data, and deployed the macrasv2 stealer.
Netskope identifies ClickFix campaign targeting Asia finance-sector macOS users
On 2026-04-21, Netskope Threat Labs disclosed an active ClickFix campaign targeting macOS users in Asia’s finance sector with an AppleScript-based infostealer that also has Windows-targeting capability. The campaign uses fake CAPTCHA prompts and a pasted curl command to steal credentials, Keychain data, browser and wallet information, and forces victims to enter their macOS password through a deceptive Apple-like prompt.
Breakglass maps MacSync C2 APIs and exposes SOCKS5 proxy monetization
On 2026-04-03, Breakglass Intelligence reported a newly identified MacSync command-and-control server and documented 29 API endpoints exposing a mature malware-as-a-service platform. The analysis showed MacSync could convert infected Macs into rotating SOCKS5 residential proxies and noted that Apple Developer ID certificate GNJLS3UYZ4 was still valid and signing MacSync samples, helping them bypass Gatekeeper warnings.
Recorded Future links five ClickFix clusters to Windows and macOS malware delivery
On March 25, 2026, Recorded Future’s Insikt Group reported five distinct ClickFix activity clusters targeting Windows and macOS users through fake verification and brand-impersonation lures. The report said several clusters delivered NetSupport RAT, while a dual-platform/macOS cluster was assessed with high confidence to deliver the MacSync infostealer using a common four-stage execution chain.
CIS warns MacSync campaign is impacting U.S. SLTT macOS users
On March 19, 2026, CIS CTI reported an ongoing ClickFix-driven MacSync stealer campaign affecting macOS users in U.S. State, Local, Tribal, and Territorial government organizations. The activity used SEO poisoning and fake CAPTCHA pages to trick victims into running Terminal commands, extending known MacSync tradecraft into a newly identified government-sector victim set.
MacSync delivery expands via SEO poisoning and fake verification pages
By early 2026, a separate macOS campaign used SEO poisoning around searches for PDF books to redirect users to fake verification pages that prompted malicious Terminal execution. The staged infection chain delivered an AppleScript-based MacSync stealer that exfiltrated credentials, browser data, wallets, SSH keys, cloud configs, and documents.
Claude-themed ClickFix campaign targets developers with MacSync
By March 2026, a campaign dubbed Claude Fraud was using sponsored Google ads and fake Claude-related sites, including pages on claude.ai and Squarespace, to target developers and security professionals. On macOS, victims were induced to paste Terminal commands that installed MacSync, and the campaign was reported to have affected more than 15,600 victims overall.
Sophos discloses three MacSync ClickFix campaigns targeting macOS users
On March 16, 2026, Sophos publicly reported three distinct ClickFix campaigns observed from November 2025 through February 2026 that delivered the MacSync infostealer to macOS users. The disclosure highlighted a clear increase in attacker sophistication and the growing use of AI-themed and trusted-platform lures to steal credentials, files, keychain data, and cryptocurrency seed phrases.
Breakglass exposes BarkBlitz crypto-targeting MacSync campaign
On 2026-03-12, Breakglass Intelligence reported that the MacSync stealer, also tracked as BarkBlitz, had been active since at least November 2025 and was targeting cryptocurrency users through ClickFix-style fake Zoom, Trezor Suite, and Ledger lures. The report detailed recovered AppleScript payloads, three C2 domains, malware signed with a stolen Apple Developer ID, and a capability to backdoor Ledger Wallet and Ledger Live for later seed-phrase theft and transaction interception.
Latest ClickFix campaign adds GitHub-themed lures and in-memory execution
In February 2026, researchers observed the most advanced MacSync ClickFix campaign yet, using regionally targeted pages impersonating trusted platforms such as GitHub and multi-stage loaders. The updated MacSync variant added dynamic AppleScript payloads, in-memory execution, and tracking infrastructure to improve evasion and victim profiling.
MacSync campaign shifts to ChatGPT shared-conversation lures
By December 2025, attackers had evolved their macOS ClickFix activity to use malicious or weaponized ChatGPT shared conversation links and other AI-themed installation prompts. The campaign continued to rely on users manually executing Terminal commands rather than exploiting software flaws.
Jamf flags ClickFix lures distributing MacSync on macOS
In December 2025, Jamf Threat Labs previously identified ClickFix-style lures being used to distribute the MacSync infostealer to macOS users. This marked an early public indication that pastejacking-style social engineering had expanded to MacSync delivery.
ClickFix campaign uses fake OpenAI Atlas browser lure to deliver MacSync
In November 2025, researchers observed a ClickFix campaign targeting macOS users through sponsored Google search results and a fake Google Sites page advertising a bogus OpenAI Atlas browser. Victims were tricked into pasting obfuscated Terminal commands that installed the MacSync infostealer.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
Fake macOS Troubleshooting Sites Used to Steal iCloud Data in ClickFix Scam
hackread.com
Open sourceNew ClickFix Attack Targets macOS Users With Fake Disk Cleanup and Utility Lures - Cyber Security News
cybersecuritynews.com
Open sourceClickFix campaign uses fake macOS utilities lures to deliver infostealers | Microsoft Security Blog
microsoft.com
Open sourceNew Mach-O Man malware tapped by Lazarus in macOS-targeted ClickFix attacks | brief | SC Media
scworld.com
Open sourceFrom Windows to macOS: ClickFix attacks shift tactics with ChatGPT-based lures
securityaffairs.com
Open sourceClickFix campaigns target macOS users via MacSync infostealer | news | SC Media
scworld.com
Open sourceClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers
thehackernews.com
Open sourceMacSync / BarkBlitz: A Five-Month macOS Stealer Campaign Targeting Crypto Users - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
Microsoft Warns macOS Infostealer Campaigns Using ClickFix Lures, Malicious DMGs, and Python Stealers
Microsoft reported that **information-stealing malware activity is expanding from Windows to macOS**, driven by campaigns observed since late 2025 that rely on social engineering and cross-platform tooling. The activity includes **ClickFix-style prompts** and **malicious DMG installers** that deliver macOS-focused infostealer families such as **Atomic macOS Stealer (AMOS)**, **MacSync**, and **DigitStealer**, with operators leveraging **fileless execution**, **native macOS utilities**, and **AppleScript automation** to evade defenses and automate collection. Initial access commonly starts with **malicious search ads (e.g., Google Ads)** that redirect users to fake sites impersonating legitimate tools and then trick victims into running “fix” steps or installing trojanized software. The malware is assessed to target high-value data including browser credentials and session cookies, **iCloud Keychain** contents, crypto wallet data, and **developer secrets**; Microsoft also highlighted growing use of **Python-based stealers** distributed via phishing for rapid adaptation across heterogeneous environments, citing **PXA Stealer** (linked to Vietnamese-speaking actors) as an example used in late-2025 campaigns with persistence mechanisms such as registry `Run` keys or scheduled tasks and **Telegram** used for command-and-control.
Mar 21, 2026
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
May 17, 2026