Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Hackers Exploit Claude AI and Google Ads to Spread MacSync Stealer

Hackers Exploit Claude AI and Google Ads to Spread MacSync Stealer

Posted on July 15, 2026 By CWS

Cybersecurity researchers have uncovered a new tactic where threat actors are leveraging Anthropic’s Claude AI platform and Google Ads to distribute a potent malware known as MacSync Stealer targeting macOS users. The discovery was made by Zscaler Threat Hunting, highlighting a sophisticated ploy to deceive users into compromising their systems.

Infiltration via Google Ads and Claude AI

The malware infection chain initiates when users search for terms related to Claude AI, such as “claude download” or “claude mac,” and click on promoted Google advertisements. These ads redirect users to a shared Claude AI chat link. Due to the legitimate claude.ai domain, the attack gains perceived credibility.

Further deception is employed as attackers set their display name in Claude to “Apple Support.” This misleading tactic makes the fake chat, which includes instructions for malware deployment, appear as legitimate guidance from Apple.

Executing the Malicious Script

The fraudulent chat instructs users to execute a Base64-encoded curl command in the macOS Terminal. This method, known as ClickFix, first appeared in 2024 and has become a popular technique for deploying macOS-specific malware.

By running the provided command, users unknowingly trigger a multi-stage infection process. This sophisticated method stealthily redirects outputs to conceal its activities, simultaneously fetching advanced payloads from attacker-controlled servers.

Targeting Sensitive Information

The campaign, active from June 12 to June 19, 2026, utilized 22 distinct Google Ads campaign IDs and targeted various search phrases, including those in Chinese. To avoid detection, malicious infrastructure mimicked domains of local U.S. businesses.

Once MacSync Stealer is fully deployed, it prompts victims to enter their macOS password via a fake system prompt, subsequently harvesting extensive sensitive data. This includes credentials from browsers, password managers, SSH keys, AWS credentials, and cryptocurrency wallet data.

Data Exfiltration and Attribution

After collection, the stolen data is compressed into 10MB segments for transmission to a remote server, and all traces of the malware are deleted from the victim’s system post-exfiltration. Analysts found Russian-language code within the malware’s AppleScript, suggesting the perpetrators may be Russian-speaking.

Preventative Measures and Recommendations

Researchers stress that the Claude AI platform itself was not compromised; instead, its sharing feature was misused. Anthropic has been alerted about the issue, and the malicious shared chats have been taken down. Security experts advise Mac users to avoid executing unfamiliar Terminal commands, verify downloads from official sources, and approach search ad “fix” prompts with skepticism.

Cyber Security News Tags:Apple Support scam, Claude AI, cyber threats, Cybersecurity, Google Ads, information stealer, macOS malware, MacSync Stealer, malware distribution, malware prevention, online security, phishing attacks, Terminal commands, Threat Actors, Zscaler

Post navigation

Previous Post: GPT-5.6 Sol Ultra Crafts Complete Chrome Exploit

Related Posts

Cloud Atlas APT Exploits Windows for Multiple RDP Sessions Cloud Atlas APT Exploits Windows for Multiple RDP Sessions Cyber Security News
CISA Alerts on Active Exploitation of Google Chromium Vulnerability CISA Alerts on Active Exploitation of Google Chromium Vulnerability Cyber Security News
Threat actors Allegedly Claim Discord Dataset Containing 78,541,207 Files Threat actors Allegedly Claim Discord Dataset Containing 78,541,207 Files Cyber Security News
Scattered LAPSUS$ Hunters Announce Salesforce Breach List On New Onion Site Scattered LAPSUS$ Hunters Announce Salesforce Breach List On New Onion Site Cyber Security News
APT36 Hackers Used Python-Based ELF Malware to Target Indian Government Entities APT36 Hackers Used Python-Based ELF Malware to Target Indian Government Entities Cyber Security News
17,000+ VMware ESXi Servers Vulnerable to Critical Integer-Overflow Vulnerability 17,000+ VMware ESXi Servers Vulnerable to Critical Integer-Overflow Vulnerability Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Exploit Claude AI and Google Ads to Spread MacSync Stealer
  • GPT-5.6 Sol Ultra Crafts Complete Chrome Exploit
  • Destiny Stealer Spreads: How to Shield Your Organization
  • TuxBot v3 Evolution: AI’s Role in IoT Botnet Development
  • AI-Powered Botnet Built in Minutes Using Gemini CLI

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Exploit Claude AI and Google Ads to Spread MacSync Stealer
  • GPT-5.6 Sol Ultra Crafts Complete Chrome Exploit
  • Destiny Stealer Spreads: How to Shield Your Organization
  • TuxBot v3 Evolution: AI’s Role in IoT Botnet Development
  • AI-Powered Botnet Built in Minutes Using Gemini CLI

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark