- Sophos warns of multiple macOS ClickFix campaigns
- Fake AI tools, ChatGPT conversations, and Apple site used to spread MacSync infostealer
- Latest variant employs loaders, AppleScript, and in‑memory execution for stealth
Security researchers have warned of a rise in ongoing malware campaigns targeting macOS users, leveraging malicious ads, legitimate hosting services, brand impersonation, fake ChatGPT conversations, and a little bit of old-fashioned social engineering to infect the victims.
A new report from Sophos claims there were at least three distinct ClickFix campaigns running over the last three months. ClickFix is a known method, in which crooks would present users with a fake problem and, at the same time, offer a solution - which can be anything from a fake CAPTCHA to a “locked” document.
Whatever it is, “solving” the problem requires running a Terminal command which downloads and installs the MacSync infostealer.
MacOS a frequent target
In the first campaign, the “problem” was installing an AI browser. Users searching for a specific keyword would see an ad at the top of the Google search results which would lead to a fake browser download page, hosted on sites.google.com.
The site looks authentic and spoofs OpenAI’s ChatGPT Atlas - but to download, users are told to bring up the Terminal and paste a specific command.
The second campaign is somewhat different because instead of relying on a website, the crooks would create a ChatGPT conversation.
Each conversation with the tool has a unique identifier, and it can be shared with other people using the “share” feature. Now, crooks would create a conversation that instructed how to download “Mac system cleaner apps” and similar tools which, again, would trick victims into downloading the infostealer. Then, they would advertise that conversation on Google to improve the perceived legitimacy.
The third campaign described in the Sophos report impersonates the legitimate Apple site and delivers a significantly evolved variant of the MacSync infostealer. Unlike the earlier campaigns, this one uses a multistage loader-as-a-service model, dynamic AppleScript payloads, and in‑memory execution to maximize stealth and persistence.
“The prevailing wisdom used to be that macOS was at lower risk of malware infection compared to Windows, due to a native suite of security features that forced threat actors to adopt different, sometimes technically challenging, techniques,” the researchers explained.
“That’s no longer the case (and hasn’t been for some time, as we noted in September 2024). Mainstream malware now regularly affects macOS users – particularly when it comes to infostealers, which regularly account for a significant portion of all the macOS detections we see in telemetry. We expect this region of the threat landscape to keep evolving, and rapidly – but, as always, Sophos will evolve with it. We’ll continue to monitor for new variants, update protection and detection information as appropriate, and publish research on this aspect of the threat landscape as data becomes available.”
