Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ClickFix MacSync social-engineering campaign targeting macOS users

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

A ClickFix campaign is using fake Cloudflare CAPTCHA verification challenges, embedded video tutorials, and automatic OS detection to trick victims into pasting and running malicious commands. The latest reporting says the pages add a one-minute countdown timer, a “users verified in the last hour” counter, and malvertising on Google Search to make the lure look legitimate, while delivering OS-specific payloads such as MSHTA on Windows and PowerShell on other systems. The activity has also been tied to compromise of websites through outdated WordPress plugins and injected JavaScript, making the social-engineering flow harder to spot.

Related Happenings

Vidar Stealer ClickFix campaign targeting multiple sectors

Campaign
First: 08.05.2026 14:00 Last: 08.05.2026 14:00 Sources 1

About this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...

Open Happening

ACSC ClickFix mitigation guidance for Vidar Stealer

Advisory/Mitigation
First: 07.05.2026 21:00 Last: 07.05.2026 21:00 Sources 1

About this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...

Open Happening

Atomic Stealer (AMOS) macOS ClickFix Script Editor activity

Malware Activity
First: 09.04.2026 14:20 Last: 09.04.2026 14:20 Sources 1

About this happening: A **macOS** malware campaign has shifted its **ClickFix** execution flow to **Script Editor**, helping **Atomic Stealer (AMOS)** avoid the usual **Terminal** warning path. The cha...

Open Happening

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
First: 08.04.2026 21:55 Last: 08.04.2026 21:55 Sources 1

About this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Timeline

  1. 16.03.2026 13:41 2 articles · 2mo ago

    ClickFix MacSync social-engineering campaign targeting macOS users

    Initial Disclosure

    In **November 2025**, a **ClickFix** lure used **OpenAI Atlas** bait from **Google sponsored results** to route victims to a fake **Google Sites** page that instructed them to paste a **Terminal** command. That first wave downloaded a shell script that requested the system password and launched **MacSync** with user-level permissions.

    Show sources
    Open in new tab
  2. 06.11.2025 16:00 1 articles · 6mo ago

    ClickFix campaign adds video tutorials and OS-aware lures

    Campaign Scope Update

    Push Security identified recent ClickFix campaigns that use embedded video tutorials, automatic OS detection, a one-minute countdown timer, and fake Cloudflare CAPTCHA verification challenges to pressure victims into pasting malicious commands; the delivery is also promoted through malvertizing on Google Search and can inject OS-specific payloads such as MSHTA on Windows and PowerShell scripts on other systems.

    Show sources
    Open in new tab