New ClickFix Attacks Target macOS Users with MacSync Infostealer
A new wave of ClickFix campaigns are targeting macOS users and delivering the MacSync infostealer, signaling a growing shift in threat actor tactics against Apple devices.
The attacks rely heavily on social engineering rather than software exploits, tricking users into manually executing malicious commands in macOS Terminal.
ClickFix is a deceptive technique where attackers present step‑by‑step instructions that persuade victims to copy and run commands that ultimately install malware.
Because the attack depends on user interaction rather than exploiting vulnerabilities, traditional protections such as phishing‑resistant authentication mechanisms like FIDO2 offer little defense.
Historically, ClickFix campaigns primarily targeted Windows systems. However, researchers observed several campaigns between November 2025 and February 2026 specifically designed for macOS users.
These operations used evolving social engineering techniques and multiple delivery mechanisms to distribute the MacSync infostealer.
One of the earliest campaigns in November 2025 used Google malvertising. Users searching for terms like “ChatGPT Atlas” encountered sponsored search results leading to malicious pages hosted on Google Sites.
The pages mimicked legitimate OpenAI branding and encouraged users to download the fictional “OpenAI Atlas browser” for macOS.

When victims clicked the download button, they were presented with instructions directing them to open Terminal and paste a complex command.
Once executed, the command downloaded a malicious Bash script that prompted the user for their macOS password and installed a MachO binary containing the MacSync infostealer.
ChatGPT Lures and GitHub
A second campaign discovered in December 2025 introduced a more sophisticated social engineering strategy. Instead of redirecting users to fake websites, attackers used sponsored Google ads that linked to shared conversations hosted on the legitimate ChatGPT platform.
These conversations provided helpful instructions for cleaning or optimizing a Mac system. Embedded links redirected users to GitHub‑themed landing pages that simulated legitimate software installation interfaces.

Victims were again instructed to run terminal commands that silently downloaded the MacSync payload.
Researchers discovered that attackers embedded tracking infrastructure within the malicious pages to monitor campaign effectiveness.
A hidden stats.php endpoint collected visitor information such as IP addresses, geolocation data, and timestamps, and reported the activity directly to a Telegram bot operated by the attackers.

Telemetry revealed thousands of interactions with the malicious installation pages within days of deployment.
The tracking system counted instances where users copied the malicious command, indicating significant campaign reach even though not every interaction resulted in infection.
By February 2026, researchers observed a new evolution of the campaign involving a significantly enhanced version of the MacSync infostealer.
Unlike earlier variants distributed as standalone MachO binaries, the updated malware uses a multi‑stage loader architecture designed to evade security tools.
Once a user runs the malicious terminal command, a Base64‑encoded and compressed script is retrieved from a command‑and‑control (C2) server.
The script executes silently in the background, authenticates itself using API keys and tokens, and dynamically downloads additional AppleScript payloads.
These payloads perform extensive data harvesting, including:
- Browser credentials, cookies, autofill data, and browsing history from Chromium and Firefox‑based browsers.
- macOS Keychain databases, SSH keys, AWS credentials, and Kubernetes configurations data.
- Files from the Desktop, Documents, and Downloads directories containing sensitive extensions.
- Data from cryptocurrency wallets and browser extensions.
- Telegram Desktop data and Safari cookies.
Collected data is packaged into a ZIP archive and exfiltrated in chunks to attacker infrastructure.
The malware also attempts to modify cryptocurrency wallet applications such as Ledger Live by injecting malicious code designed to steal seed phrases used to recover crypto wallets.
Growing Threat to macOS Users
The campaigns demonstrate how threat actors are rapidly adapting both their social engineering methods and malware delivery techniques.
Researchers observed infection clusters in multiple regions including Belgium, India, and parts of North and South America.
Security experts note that macOS users are increasingly being targeted by infostealers and other malware families as the platform’s market share grows.
Techniques such as ClickFix attack exploit human behavior rather than software vulnerabilities, making user awareness a critical defense.
Organizations and users are advised to avoid executing unknown terminal commands from websites, verify search results before downloading software, and deploy endpoint protection capable of detecting macOS malware variants such as MacSync.
Security products have already added detection signatures for the latest variants, including OSX/InfoStl‑FQ, OSX/InfoStl‑FR, and OSX/InfoStl‑FH, as researchers continue monitoring the evolving threat landscape.