ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers

Three different ClickFix campaigns have been found to be ways to spread a macOS information stealer called MacSync. "Sophos researchers Jagadeesh Chandraiah, Tonmoy Jitu, Dmitry Samosseiko, and Matt Wixey said, "Unlike traditional exploit-based attacks, this method relies entirely on user interaction—usually in the form of copying and executing commands—making it particularly effective against users who may not understand what running unknown and obfuscated terminal commands means." It is not clear at this time if the same threat actor is behind the campaigns.

In December 2025, Jamf Threat Labs also said that ClickFix lures were being used to spread the malware.

The three campaigns are as follows: The shell script that runs after the Terminal command is meant to connect to a hard-coded server and download the AppleScript infostealer payload while also trying to erase any evidence of data theft. The bad commands are easy to see." It's clear that ClickFix (and its variations) have given criminals and groups a big advantage, which is why so many of them have started using it.

There is a malicious traffic distribution system (TDS) called KongTuke (also known as 404 TDS, Chaya_002, LandUpdate808, and TAG-124) that uses hacked WordPress sites and fake CAPTCHA lures to spread a Python-based trojan called ModeloRAT.

The attackers put bad JavaScript into real WordPress sites that tell users to run a PowerShell command that starts a multi-stage infection process to spread the trojan. Trend Micro said, "The group still uses this method along with the newer CrashFix technique, which tricks users into installing a malicious browser extension to start the infection." "The malware checks to see if a system is part of a corporate domain and what security tools are already installed before moving on.

This suggests that it is more interested in enterprise environments than in infections that happen by chance. "That's not all."

According to Rapid7, "The best defense for people who use the internet is to stay cautious, have a zero-trust mindset, use trusted security software, and stay up to date on the latest phishing and ClickFix tactics used by bad actors." "This report should make it clear that even safe websites can be hacked and used to attack people who don't know what's going on."