From Windows to macOS: ClickFix attacks shift tactics with ChatGPT-based lures

ClickFix campaigns are evolving, with attackers increasingly targeting macOS users and deploying more advanced infostealers, according to Sophos researchers.

ClickFix is a growing social engineering technique that tricks users into manually executing malicious commands, bypassing traditional protections. Once mainly targeting Windows, it is now increasingly affecting macOS, with recent campaigns deploying infostealers like AMOS and MacSync. Researchers note the evolving tactics, likely driven by both defensive measures and broader tech trends.

Sophos researchers analyzed three ClickFix campaigns targeting macOS users with the MacSync infostealer. 

In November 2025, attackers relied on relatively “classic” ClickFix techniques. Victims searching for ChatGPT-related tools were lured via malicious Google-sponsored links leading to fake OpenAI/ChatGPT pages. These pages instructed users to copy and execute obfuscated Terminal commands, which ultimately downloaded and ran the MacSync infostealer. The approach was straightforward but effective, relying heavily on user trust and deception.

“Note the terminal command above, which when deobfuscated, downloads and executes a Bash script from a threat actor-controlled site:” reads the report published by Sophos. “The script requests the user’s password, then fetches and runs a malicious MachO binary (the MacSync infostealer) with user-level permissions”

By December 2025, the campaigns became notably more advanced in their delivery and evasion tactics. Instead of redirecting users directly to fake download sites, attackers leveraged legitimate ChatGPT shared conversations to build credibility. These pages then led to GitHub-themed fake interfaces that mimicked legitimate installation workflows, encouraging users to run malicious commands. This technique helped bypass macOS protections like Gatekeeper and XProtect.

“The ChatGPT conversations appeared to be helpful guides like ‘how to clean up your Mac’ or install tools, but redirected victims to malicious GitHub-themed landing pages, which in turn used fake GitHub-themed installation interfaces to trick users into running malicious terminal commands (the ClickFix portion of the attack chain).” continues the report. “This can have the effect of bypassing macOS security controls like Gatekeeper and XProtect.”

At the same time, attackers introduced sophisticated tracking infrastructure, including JavaScript-based analytics, IP and geolocation logging, and real-time reporting via Telegram bots. This allowed them to monitor campaign effectiveness, which reached tens of thousands of user interactions across multiple domains.

By February 2026, the operation had evolved into a far more advanced and stealthy threat. While still relying on user interaction at the initial stage, the payload delivery shifted to a multi-stage, loader-as-a-service model. Instead of simple binaries, the malware used obfuscated shell scripts, API key-protected command-and-control infrastructure, and dynamic AppleScript payloads executed in memory. These enhancements significantly improved evasion against static and behavioral detection.

The latest MacSync variant performs extensive data harvesting, targeting browser data, credentials, files, SSH keys, cloud configurations, and cryptocurrency wallets. It also includes advanced capabilities such as chunked data exfiltration, persistence mechanisms, and anti-analysis techniques. Notably, it can tamper with Ledger wallet applications by injecting malicious code to steal seed phrases, enabling attackers to directly compromise cryptocurrency assets.

Overall, these campaigns highlight a shift from relatively simple social engineering attacks to highly modular, stealthy, and data-focused operations, reflecting both adaptation to defensive measures and increasing attacker sophistication.

“These three campaigns demonstrate a variety of tactics, and some changes to the traditional ClickFix model. While all three campaigns leveraged the use of GenAI-related lures in some way, a shift from malicious sites impersonating known legitimate companies to shared ChatGPT conversations represents an interesting shift in social engineering.” concludes the report. “Here, the threat actor leveraged two things which may have worked in their favor: hosting malicious content on a trusted domain (something the first campaign also utilized), and exploiting the relative novelty of ChatGPT conversations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ClickFix)