MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
Summary
Hide ▲
Show ▼
macOS users are being targeted in a ClickFix campaign that abuses Google search ads to steer people into poisoned ChatGPT and Grok conversations. The lure uses troubleshooting queries and Atlas-related searches to deliver instructions that, if run in macOS Terminal, decode a base64-encoded URL and launch a bash script that installs AMOS infostealer malware with root-level privileges. The activity matters because AMOS is a macOS-only malware-as-a-service operation, and the campaign shows threat actors abusing legitimate AI platforms and search infrastructure to distribute malware.
Related Happenings
MacOS.Gaslight AI-analysis evasion malware
Malware Activity
H score22
First: 25.06.2026 19:23
Last: 25.06.2026 19:23
Sources 1
About this happening:
The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
MacOS.Gaslight AI-analysis evasion malware
Malware ActivityAbout this happening: The **macOS.Gaslight** malware family now embeds **prompt injection strings** and fake system-failure messages to confuse **AI-assisted malware analysis** tools, risking aborted o...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor Meta
H score73
First: 24.06.2026 18:59
Last: 24.06.2026 18:59
Sources 1
About this happening:
The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor MetaAbout this happening: The **Amadey** and **StealC** ecosystems now operate as **malware-as-a-service (MaaS)** offerings, widening access to loader and stealer capabilities for paying customers and affi...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical Analysis
H score23
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
**macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage
Technical AnalysisAbout this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A **macOS ClickFix campaign** is using **fake CAPTCHA pages** and **Terminal commands** to quietly download and launch malicious **DMG files**, putting **Mac devices** at risk of...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
H score34
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
Timeline
-
04.02.2026 09:42 6 articles · 5mo ago
Microsoft warns on expanding macOS infostealer campaigns
Initial DisclosureMicrosoft warned that information-stealing campaigns are rapidly expanding beyond Windows to Apple macOS environments, using Python, malicious Google Ads redirects, ClickFix lures, and fake sites to deliver DMG installers that deploy Atomic macOS Stealer (AMOS), MacSync, DigitStealer, and PXA Stealer. The activity uses fileless execution, native macOS utilities, AppleScript automation, registry Run keys or scheduled tasks, and Telegram-based communications and exfiltration, while related campaigns also used WhatsApp and Crystal PDF decoys. The theft targets browser credentials, session data, iCloud Keychain entries, developer secrets, financial information, and crypto wallet data, and the recommended defenses are user education, Terminal monitoring, iCloud Keychain monitoring, and inspection of network egress for suspicious POST requests.
Show sources
- Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers — thehackernews.com — 04.02.2026 09:42
- Microsoft Warns Python Infostealers Target macOS via Fake Ads and Installers — thehackernews.com — 04.02.2026 09:42
- Claude LLM artifacts abused to push Mac infostealers in ClickFix attack — www.bleepingcomputer.com — 13.02.2026 22:21
- Hackers abuse Google ads, Claude.ai chats to push Mac malware — www.bleepingcomputer.com — 10.05.2026 20:52
- LastPass: Fake password managers infect Mac users with malware — www.bleepingcomputer.com — 22.09.2025 18:36
- Google ads for shared ChatGPT, Grok guides push macOS infostealer malware — www.bleepingcomputer.com — 11.12.2025 01:50