Three different ClickFix campaigns were found to serve as delivery vectors for the deployment of a macOS information stealer called MacSync.
Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey said, “Unlike traditional exploit-based attacks, this technique relies entirely on user interaction (usually in the form of copying and executing commands), making it particularly effective against users who don’t understand the implications of running unknown, obfuscated terminal commands.”
It is currently unknown whether these campaigns are the work of the same actor. The use of ClickFix lures to distribute malware was also reported by Jamf Threat Labs in December 2025. Details of the three campaigns are as follows:
November 2025: A campaign that uses the OpenAI Atlas browser as a bait and is distributed through Google’s sponsored search results, directing users to a fake Google Sites URL with a download button that, when clicked, opens the Terminal app and provides instructions to paste a command. This action downloads a shell script that prompts the user for the system password and runs MacSync with user-level permissions. December 2025: Malvertising campaign leverages sponsored links associated with Google searches for queries like “how to clean up your Mac” to drive users to shared conversations on legitimate OpenAI ChatGPT sites, giving the impression that the links are safe. The ChatGPT conversation redirected the victim to a malicious GitHub-themed landing page that convinced the user to run malicious commands in the Terminal app. February 2026: Campaign targeting Belgium, India, and parts of the Americas. We distributed a new variant of MacSync through the ClickFix lure. The latest iteration supports dynamic AppleScript payloads and in-memory execution to avoid static analysis, bypass behavior detection, and complicate incident response.
The shell script that is launched after running the Terminal command is designed to connect to a hard-coded server to retrieve the AppleScript Infostealer payload, while also taking steps to remove evidence of data theft. This stealer has the ability to collect a wide range of data from compromised hosts, including stealing credentials, files, keychain databases, and seed phrases from cryptocurrency wallets.
The latest findings suggest that threat actors are weaponizing the trust associated with ChatGPT conversations to trick users into executing malicious commands, while adapting this method to stay one step ahead of security tools.
Sophos said the new variants observed in the latest campaign “likely represent malware developers adjusting OS and software security measures to maintain effectiveness.” “Therefore, refinements to typical ClickFix social engineering tactics are one way such campaigns may continue to evolve in the future.”
In recent months, the ClickFix campaign used legitimate platforms such as Cloudflare Pages (pages.dev), Squarespace, and Tencent EdgeOne to host fake instructions for installing developer tools such as Anthropic’s Claude Code. URLs are distributed via malicious search engine ads.
This instruction, as before, tricks victims into installing information-stealing malware such as Amatera Stealer. This social engineering attack is codenamed InstallFix or GoogleFix. According to Nati Tal, head of Guardio Labs, similar infection chains lead to the deployment of Alien infostealer on Windows and Atomic Stealer on macOS.
According to Tal, a PowerShell command executed after pasting and running Claude Code’s expected installation command retrieves the legitimate Chrome extension package in the malicious HTML application (HTA) file and launches Alien’s obfuscated .NET loader in memory.
“While traditional ClickFix attacks require users to concoct a reason to run a command, such as a fake CAPTCHA, fabricated error message, or fake system prompt, InstallFix requires none of that,” Push Security said. “The pretext is simply that the user wants to install legitimate software.”
According to Pillar Security, at least 20 malware campaigns targeted artificial intelligence (AI) and vibe coding tools between February and March 2026. This includes code editors, AI agents, large language model (LLM) platforms, AI-powered browser extensions, AI video generators, and AI business tools. Nine of these were found to target both Windows and macOS, while the remaining seven were found to only affect macOS users.
“The reason is clear: users of AI/vibe coding tools skew heavily toward macOS, and macOS users tend to have higher-value credentials (SSH keys, cloud tokens, crypto wallets),” said Pillar Security researcher Eilon Cohen.
“The ClickFix/InstallFix technique (tricking users into pasting commands into the terminal) is very effective against developers because curl | sh is a legitimate installation pattern. Homebrew, Rust, nvm, and many other developer tools use exactly this pattern. Malicious commands hide in plain sight.”
Needless to say, the benefits provided by ClickFix (and its variants) have led to this tactic being adopted by multiple threat actors and groups. This includes a malicious traffic distribution system (TDS) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, TAG-124). The system uses a compromised WordPress website and a fake CAPTCHA lure to deliver a Python-based Trojan called ModeloRAT.
The attacker injects malicious JavaScript into a legitimate WordPress website and prompts the user to run PowerShell commands that initiate a multi-step infection process to deploy the Trojan.
“The group continues to use this technique in tandem with its new CrashFix technique, which tricks users into installing malicious browser extensions and initiating infections,” Trend Micro said. “The malware specifically checks if the system is part of a corporate domain and identifies installed security tools before proceeding. This suggests it is focused on corporate environments rather than an opportunistic infection.”
That’s not all. KongTuke campaigns have also been observed using DNS TXT records in their ClickFix scripts. These DNS TXT records stage commands that retrieve and run PowerShell scripts.
Other ClickFix-style pastejacking attacks that have been detected in the wild are listed below.
A compromised website is used to display a ClickFix page lure that mimics Google’s “Aw Snap!” Performs errors and browser updates and distributes droppers, downloaders, and malicious browser extensions. ClickFix decoys provided via malvertising/phishing links are used to lure users to malicious pages that lead to Remcos RAT deployment. A fake website promoting the $TEMU airdrop scam uses a fake CAPTCHA validation lure to trigger the execution of a PowerShell command that executes arbitrary Python code retrieved from the server. It uses a fake website promoting CleanMyMac to trick users into running malicious Terminal commands and deploys a macOS stealer named SHub Stealer and backdoor cryptocurrency wallets such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live to steal seed phrases. Runs a PowerShell script that serves an MSI dropper using a fake CAPTCHA validation lure on a compromised website. The Deno JavaScript runtime is then installed to execute the obfuscated code, and finally a Python loader named CastleLoader installs CastleRAT in memory.
In a report released last week, Rapid7 revealed that trusted WordPress websites were compromised as part of a broader ongoing campaign aimed at inserting ClickFix implants disguised as Cloudflare human verification challenges. This activity has been active since December 2025.
More than 250 infected websites have been identified in at least 12 countries, including Australia, Brazil, Canada, Czech Republic, Germany, India, Israel, Singapore, Slovakia, Switzerland, the United Kingdom, and the United States, and these websites have been identified as local news outlets and local businesses.
The ultimate goal of these lures is to compromise Windows systems with various stealer malware families: StealC Stealer, an improved version of Vidar Stealer, a .NET stealer called Impure Stealer, and a C++ stealer called VodkaStealer. Stolen data can serve as a launching pad for financial theft and subsequent attacks.
The exact method by which WordPress sites are hacked is currently unknown. However, it is suspected that the exploit involves exploiting WordPress plugins and themes, previously stolen administrator credentials, or recently revealed security flaws in the publicly accessible wp-admin interface.
To combat this threat, site administrators are encouraged to keep their sites up to date, use strong passwords for administrative access, set up two-factor authentication (2FA), and scan for suspicious administrator accounts.
“The best defense for individuals browsing the web is to remain vigilant, maintain a zero-trust mindset, use trusted security software, and stay up-to-date on the latest phishing and ClickFix tactics used by malicious attackers,” Rapid7 said. “The key takeaway from this report is that even trusted websites can be compromised and used as a weapon against unsuspecting visitors.”
Source link
