Find notable cyber news and cases, enriched with sources, timelines, and signals.

MacOS infostealer campaign using fake ads and ClickFix lures

Campaign
First reported
Last updated
Happening score
H score 41
2 unique sources, 5 articles

Summary

Hide ▲

macOS users are being targeted in a ClickFix campaign that abuses Google search ads to steer people into poisoned ChatGPT and Grok conversations. The lure uses troubleshooting queries and Atlas-related searches to deliver instructions that, if run in macOS Terminal, decode a base64-encoded URL and launch a bash script that installs AMOS infostealer malware with root-level privileges. The activity matters because AMOS is a macOS-only malware-as-a-service operation, and the campaign shows threat actors abusing legitimate AI platforms and search infrastructure to distribute malware.

Related Happenings

MacOS.Gaslight AI-analysis evasion malware

Malware Activity
H score22 First: 25.06.2026 19:23 Last: 25.06.2026 19:23 Sources 1

About this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...

Amadey and StealC MaaS ecosystem and affiliate model

Threat Actor Meta
H score73 First: 24.06.2026 18:59 Last: 24.06.2026 18:59 Sources 1

About this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...

AUDIOFIX and MiniRAT macOS malware activity

Malware Activity
H score34 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...

Timeline

  1. 04.02.2026 09:42 6 articles · 5mo ago

    Microsoft warns on expanding macOS infostealer campaigns

    Initial Disclosure

    Microsoft warned that information-stealing campaigns are rapidly expanding beyond Windows to Apple macOS environments, using Python, malicious Google Ads redirects, ClickFix lures, and fake sites to deliver DMG installers that deploy Atomic macOS Stealer (AMOS), MacSync, DigitStealer, and PXA Stealer. The activity uses fileless execution, native macOS utilities, AppleScript automation, registry Run keys or scheduled tasks, and Telegram-based communications and exfiltration, while related campaigns also used WhatsApp and Crystal PDF decoys. The theft targets browser credentials, session data, iCloud Keychain entries, developer secrets, financial information, and crypto wallet data, and the recommended defenses are user education, Terminal monitoring, iCloud Keychain monitoring, and inspection of network egress for suspicious POST requests.

    Show sources