Sophisticated macOS Malware Campaign Exploits Google Ads, Claude AI, and Medium to Distribute MacSync Stealer A recent malware campaign is targeting macOS users through a multi-pronged attack leveraging sponsored Google search results, Claude AI’s public artifact feature, and fraudulent Medium articles. The operation, uncovered by cybersecurity researchers at Moonlock Lab, has exposed over 15,000 users to the MacSync information stealer, which siphons sensitive data including keychain credentials, browser data, and cryptocurrency wallets. The campaign employs two distinct variants, both using the ClickFix social engineering technique to deceive users into executing malicious commands. ### First Variant: Fake DNS Resolver via Claude AI When users search for "Online DNS resolver" on Google, a sponsored result directs them to a public Claude AI artifact titled "macOS Secure Command Execution." The fake guide masquerades as a legitimate security tool, instructing victims to paste a base64-encoded command into their Terminal. Upon execution, the command downloads a loader for MacSync from `/tmp/osalogging.zip`, which then establishes communication with a command-and-control (C2) server at `a2abotnet[.]com/dynamic`. The malware uses a hardcoded authentication token and API key, spoofs a macOS browser User-Agent string to evade detection, and exfiltrates stolen data via Apple’s `osascript` utility. Larger datasets are uploaded in chunks with retry mechanisms and exponential backoff to ensure successful transmission. After exfiltration, the malware deletes staging files to cover its tracks. ### Second Variant: Fake Disk Space Analyzer via Medium A second attack vector targets users searching for "macOS CLI disk space analyzer" through a fraudulent Medium article hosted at `apple-mac-disk-space.medium[.]com`. The article impersonates Apple’s official Support Team and delivers a similar ClickFix payload with additional obfuscation, including string concatenation tricks (e.g., `cur””l`) to bypass detection. The malicious payload is fetched from `raxelpak[.]com`. ### Evasion Tactics and Broader Implications The threat actors behind this campaign demonstrate a deep understanding of social engineering and evasion techniques, exploiting trusted platforms like Google Ads, Claude AI, and Medium to lend legitimacy to their attacks. By abusing these services, they bypass traditional security controls and reach a broader audience. The MacSync stealer remains a persistent threat, with its operators continuously refining their methods to avoid detection while maximizing data theft. The campaign underscores the growing trend of malware distributors leveraging legitimate services to propagate malicious payloads.