Evil evolution: ClickFix and macOS infostealers

This report documents several ClickFix malvertising campaigns that lured macOS users through Google ads and shared ChatGPT conversations to GitHub-themed landing pages; victims were tricked into running terminal commands that fetched a multistage loader which deployed MacSync infostealer. The malware harvests browser data, keys, wallets and can patch Ledger Live to exfiltrate seed phrases, uses API-key gated C2, in-memory AppleScript execution, real-time victim tracking (stats.php → Telegram) and has recorded thousands of user interactions across multiple regions.