macOS Malware Spreads via Google Ads, Claude.ai Shared Chats
Key Takeaways A sophisticated malvertising campaign is targeting macOS users through malicious Google Ads and deceptive AI application lookalikes. Attackers leverage trusted platforms like Google...
Key Takeaways
- A sophisticated malvertising campaign is targeting macOS users through malicious Google Ads and deceptive AI application lookalikes.
- Attackers leverage trusted platforms like Google Sites and Claude.ai shared chats to host fake download pages for MacSync, a macOS information stealer.
- The campaign employs a “Clickfix” social engineering tactic, tricking users into executing malicious commands or installing compromised software.
- MacSync exfiltrates sensitive data, including browser credentials, cryptocurrency wallet information, and session tokens.
Malvertising Campaign Targets macOS Users via Google Ads and AI Impersonation
Cybersecurity researchers have uncovered an advanced malvertising operation specifically designed to compromise macOS systems. Threat actors are exploiting Google Ads and impersonating legitimate artificial intelligence services to distribute the MacSync information stealer.
Table Of Content
This campaign redirects unsuspecting users to fraudulent landing pages through sponsored search results, employing a blend of reputable hosting providers and a social engineering technique known as “Clickfix” to deliver dangerous payloads.
Initial Attack Vector: Deceptive Google Ads
The attack sequence begins when a user searches for popular software, particularly AI tools such as Claude. Attackers manipulate search engine results by purchasing sponsored advertisements that appear prominently at the top of search engine results pages (SERPs). These ads are meticulously crafted to mimic legitimate software vendors, making it difficult for end-users to differentiate between authentic and malicious links.
Upon clicking these sponsored advertisements, victims are routed to deceptive websites hosted on seemingly trusted infrastructure. To circumvent initial domain reputation checks and enterprise web filters, the threat actors are exploiting services like Google Sites, Framer, and even legitimate claude.ai shared chats. The landing pages are expertly designed to replicate official Claude AI download portals, enhancing their credibility.
When users attempt to interact with these fraudulent sites or download the purported desktop application, they are confronted with a “Clickfix” prompt. This social engineering tactic employs deceptive warning dialogues, coercing victims into manually executing a malicious terminal command or downloading a compromised installer under the pretense of “fixing” a display error or other technical issue.
Researchers Berk Albayrak and g0njxa published their findings on X, detailing the infrastructure underpinning this targeted malware campaign. The threat actors frequently rotate their domains and hosting platforms to evade detection and maximize their search engine optimization efforts.
The campaign heavily relies on Google Sites for hosting the initial deceptive pages. Researchers identified malicious URLs such as sites[.]google[.]com/view/cloud-version-08, sites[.]google[.]com/view/brewshka-page, and sites[.]google[.]com/view/claud-version-0505. In addition to Google Sites, the attackers have utilized the Framer platform, hosting fake applications at claude-desktop-app[.]framer[.]ai.
Payload Delivery and Execution: The MacSync Stealer
Once a victim interacts with the fake Claude AI portal, the site redirects them to the final payload delivery servers. Initial landing pages have been observed redirecting traffic to external IP addresses, including 2[.]26[.]75[.]112/Hokojol, and to domains such as pieoneer[.]org and greenactiv[.]com.
These destination servers deliver the MacSync clickfix payload directly to the victim’s macOS machine. Upon execution, the malware functions as a comprehensive information stealer. MacSync is specifically engineered to harvest sensitive data from infected Apple systems, including saved browser credentials, cryptocurrency wallet data, and active session tokens. The stolen information is subsequently exfiltrated to the attackers’ command-and-control infrastructure.
What You Should Do
- Exercise Extreme Caution: Be highly skeptical of sponsored search results, especially when downloading software.
- Verify Software Sources: Always navigate directly to the official vendor’s website to download software. Do not rely on links from search engine ads.
- Block Known Indicators of Compromise (IoCs): Security teams should implement network-level blocks for the identified malicious domains and IP addresses.
- Monitor Endpoint Telemetry: Keep a close watch on macOS endpoint telemetry for any unusual script execution originating from web browsers.
- Educate Users: Conduct awareness training for employees and individual users about the dangers of malvertising and social engineering tactics like “Clickfix.”
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.