Find notable cyber news and cases, enriched with sources, timelines, and signals.

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

A ClickFix campaign is using fake Cloudflare CAPTCHA verification challenges, embedded video tutorials, and automatic OS detection to trick victims into pasting and running malicious commands. The latest reporting says the pages add a one-minute countdown timer, a “users verified in the last hour” counter, and malvertising on Google Search to make the lure look legitimate, while delivering OS-specific payloads such as MSHTA on Windows and PowerShell on other systems. The activity has also been tied to compromise of websites through outdated WordPress plugins and injected JavaScript, making the social-engineering flow harder to spot.

Related Happenings

WordPress malware campaign using Steam profile C2 concealment

Campaign
H score37 First: 01.06.2026 20:04 Last: 01.06.2026 20:04 Sources 1

About this happening: A **WordPress malware campaign** has infected about **1,980 websites** since **July 2025**, and it hides **command-and-control (C2) data** in **Steam Community profile comments**...

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
H score38 First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
H score34 First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
H score30 First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
H score42 First: 08.04.2026 21:55 Last: 08.04.2026 21:55 Sources 1

About this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...

Timeline

  1. 16.03.2026 13:41 2 articles · 3mo ago

    ClickFix MacSync social-engineering campaign targeting macOS users

    Initial Disclosure

    In **November 2025**, a **ClickFix** lure used **OpenAI Atlas** bait from **Google sponsored results** to route victims to a fake **Google Sites** page that instructed them to paste a **Terminal** command. That first wave downloaded a shell script that requested the system password and launched **MacSync** with user-level permissions.

    Show sources
  2. 06.11.2025 16:00 1 articles · 8mo ago

    ClickFix campaign adds video tutorials and OS-aware lures

    Campaign Scope Update

    Push Security identified recent ClickFix campaigns that use embedded video tutorials, automatic OS detection, a one-minute countdown timer, and fake Cloudflare CAPTCHA verification challenges to pressure victims into pasting malicious commands; the delivery is also promoted through malvertizing on Google Search and can inject OS-specific payloads such as MSHTA on Windows and PowerShell scripts on other systems.

    Show sources