CLICKFIX campaigns are evolving, with attackers increasingly targeting macOS users and deploying more advanced infostealers, according to Sophos researchers. Once focused on Windows, the social engineering tactic now targets macOS, with campaigns deploying the MacSync infostealer.
In November 2025, victims searching for ChatGPT tools were lured via malicious Google-sponsored links to fake OpenAI/ChatGPT pages that instructed them to copy and run obfuscated Terminal commands, which downloaded and executed the MacSync infostealer. By December 2025, delivery shifted to using legitimate ChatGPT shared conversations to build credibility, leading users to GitHub-themed fake interfaces that hosted installation workflows and bypassed macOS protections like Gatekeeper and XProtect.
By February 2026, the operation had become a multi-stage, loader-as-a-service model, using obfuscated shell scripts, API key-protected C2 infrastructure, and dynamic AppleScript payloads to evade detection, with the latest MacSync variant harvesting browser data, credentials, files, SSH keys, cloud configurations, and cryptocurrency wallets.
The campaigns illustrate a move from simple social engineering to modular, stealthy, data-focused operations, leveraging GenAI-related lures and trusted domains to exploit user trust.