Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches
July 15, 2026
Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
July 15, 2026
Home/CyberSecurity News/Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
CyberSecurity News

Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats

Key Takeaways A new information stealer, MacSync Stealer, is targeting macOS users. Attackers leverage Google Ads and Anthropic’s Claude AI platform to deliver the malware. The infection chain...

Emy Elsamnoudy
Emy Elsamnoudy
July 15, 2026 4 Min Read
2 0

Key Takeaways

  • A new information stealer, MacSync Stealer, is targeting macOS users.
  • Attackers leverage Google Ads and Anthropic’s Claude AI platform to deliver the malware.
  • The infection chain exploits shared Claude chats, disguised as Apple Support, to trick users into executing malicious Terminal commands.
  • MacSync Stealer exfiltrates a wide range of sensitive data, including browser credentials, cryptocurrency wallets, and developer keys.
  • While the malicious Claude chats have been removed, Mac users should remain vigilant against social engineering tactics.

MacSync Stealer Leverages Google Ads and Claude AI for Stealthy macOS Attacks

Cybersecurity researchers at Zscaler have uncovered a sophisticated campaign deploying a novel information-stealing malware dubbed MacSync Stealer. This new threat specifically targets macOS users by exploiting Google Ads and Anthropic’s Claude AI platform, presenting a deceptive front to trick victims into self-infection.

Table Of Content

  • Key Takeaways
  • MacSync Stealer Leverages Google Ads and Claude AI for Stealthy macOS Attacks
  • The Deceptive Infection Vector
  • Claude Chats Abused for ClickFix
  • MacSync Stealer’s Data Exfiltration Capabilities
  • What You Should Do

The Deceptive Infection Vector

The attack initiates when a user searches for terms such as “claude download” or “claude mac.” Malicious Google Ads, strategically placed by the threat actors, redirect unsuspecting victims to a seemingly legitimate shared Claude chat link. This tactic immediately lends credibility to the attack, as the URL originates from the authentic claude.ai domain.

Within the shared chat interface, the attackers masquerade as “Apple Support” by setting their display name accordingly. This impersonation makes the embedded, fake “fix” instructions appear highly trustworthy to the victim. The chat then prompts users to copy and paste a Base64-obfuscated curl command directly into their macOS Terminal. This method is a hallmark of the “ClickFix” technique, a social engineering strategy that emerged in 2024 and has since become a favored tool for operators targeting macOS systems.

Executing this command initiates a multi-stage infection process. The output of the command is silently redirected, concealing any signs of execution from the user. This hidden process then fetches increasingly complex payloads from infrastructure controlled by the attackers, culminating in the full deployment of MacSync Stealer.

Claude Chats Abused for ClickFix

Zscaler traced the campaign, which was active between June 12 and June 19, 2026. Their analysis identified 22 distinct Google Ads campaign IDs and seven search terms related to Claude, including “claude ai,” “claude code,” and even a Chinese-language variant, indicating a broad targeting strategy.

The malicious infrastructure supporting these operations was cleverly disguised, utilizing domain names that mimicked ordinary local U.S. businesses, such as laminate flooring services and pet sitters, to evade detection mechanisms.

MacSync Stealer’s Data Exfiltration Capabilities

Once MacSync Stealer is fully deployed via an AppleScript payload, it attempts to trick victims into entering their macOS password through a fake system prompt. Upon gaining access, the malware systematically harvests a wide array of sensitive data before meticulously erasing its presence from the system. The stolen information includes:

  • Keychain files and credentials from Chromium and Gecko-based browsers, encompassing cookies and saved login details.
  • Data stored within password manager browser extensions.
  • Sensitive developer environment files, such as SSH keys, AWS credentials, and Kubernetes configurations.
  • Telegram Desktop files, along with documents and files featuring extensions like .pdf, .wallet, and .kdbx.
  • Cryptocurrency wallet browser extensions and desktop applications, with specific targeting of Ledger and Trezor hardware wallets.

According to researchers, the exfiltrated data is compressed and transmitted in 10MB chunks to a remote server. Following successful data transfer, the malware proceeds to delete all traces of its activity from the compromised system.

Analysis of the malware’s AppleScript payload revealed Russian-language code comments, suggesting that the operators behind MacSync Stealer are likely Russian-speaking. Researchers also noted the group’s continuous evolution of tactics, having previously distributed malware through counterfeit “cracked” software before shifting to the ClickFix method and the abuse of AI platforms.

It is crucial to note that Anthropic’s Claude platform itself was not compromised; attackers merely exploited its legitimate shared chat functionality. Anthropic has been informed of the abuse, and the malicious shared chats are no longer accessible. Nevertheless, security experts strongly advise Mac users to exercise extreme caution: never paste unfamiliar Terminal commands, always verify software downloads exclusively through official vendor websites, and approach “fix” prompts originating from search advertisements with profound suspicion.

What You Should Do

  • Never Paste Unverified Commands: Refrain from copying and pasting Terminal commands from untrusted sources, especially those found in shared chats or unsolicited “fix” instructions.
  • Verify Software Downloads: Always download software directly from the official developer’s website or the macOS App Store. Avoid third-party download sites or links from search ads.
  • Be Skeptical of “Support” Prompts: Treat any “support” messages or “fix” prompts encountered through search engine results or shared links with extreme caution, even if they appear to originate from legitimate services like Apple.
  • Use a Password Manager: Employ a reputable password manager for all your credentials and enable multi-factor authentication (MFA) wherever possible.
  • Maintain System Updates: Keep your macOS operating system and all installed applications fully updated to benefit from the latest security patches.
  • Install Reputable Antivirus/Endpoint Detection: Utilize a trusted antivirus or endpoint detection and response (EDR) solution capable of detecting and blocking macOS-specific threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

GPT-5.6 Sol Ultra AI Creates Full Chrome Exploit Chain from Patches

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Dell PowerProtect flaws let attackers gain full system access
July 15, 2026
Microsoft Confirms Dell Laptop Overheating, Shutdowns After July Windows Update
July 15, 2026
FaceTime Call Impersonation Fraud Hijacks Bank Accounts
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us