MacSync Stealer: Sophisticated macOS Malware Targets Developers via Malvertising
Security researchers at Beezlebub have uncovered MacSync Stealer, a newly identified macOS infostealer distributed through a deceptive malvertising campaign on Google Ads. The attack impersonates Anthropic’s Claude Code CLI, exploiting developer trust in search results to deliver a multi-stage infection chain that harvests credentials, crypto wallets, and sensitive system data.
Attack Chain Breakdown
The campaign begins with a sponsored Google ad targeting queries like “claude code mac install.” Victims are redirected to a malicious Google Sites page designed to mimic Anthropic’s legitimate installation portal. The page uses JavaScript to dynamically render content, evading automated detection while instructing users to execute a seemingly harmless terminal command a tactic known as the “InstallFix” social engineering pattern.
The embedded command decodes into a triple-encoded zsh dropper, which initiates a three-stage infection process:
- Stage One: Retrieves a
.dailypayload from a command-and-control (C2) server (oklahomawarehousing[.]com) over unsecured HTTP. - Stage Two: Decodes a base64+gzip script with randomized variable names to bypass signature-based detection.
- Stage Three: Executes a silent daemon that fetches the primary AppleScript-based stealer (MacSync Stealer v1.1.2, build tag: claude1) and manages data exfiltration.
Malware Capabilities & Exfiltration
Once active, the stealer:
- Terminates Terminal to erase execution traces.
- Deploys a fake macOS System Preferences dialog to harvest the user’s login password, validated via
dscl . authonlyto avoid system alerts. - Unlocks the macOS keychain, extracting the Chrome Safe Storage key to decrypt saved credentials across Chromium-based browsers.
- Steals sensitive data, including:
- Browser profiles and cookies
- SSH keys and AWS credentials
- Telegram sessions
- Over 80 cryptocurrency wallet extensions
- Stages stolen data in
/tmp/sync*/and compresses it into/tmp/osalogging.zip, exfiltrating it in 10MB chunks via HTTP PUT requests to the C2. However, interrupted uploads render the archive unusable due to ZIP format constraints.
Persistence & Crypto Wallet Hijacking
A secondary payload targets cryptocurrency applications. If Ledger Live or Ledger Wallet is installed, the malware replaces their Electron app.asar bundles with trojanized versions. A single injected line (marked with a Russian comment: ВСТАВЬТЕ СЮДА) redirects the application to a phishing page after a 5-second delay, tricking victims into entering seed phrases for exfiltration.
Attack Limitations
The infection chain includes a critical flaw: a blocking dialog halts execution until user interaction. If the victim reboots or interrupts the process before clicking, exfiltration and wallet trojanization may fail, reducing the attacker’s success rate.
Indicators of Compromise (IOCs)
- Malware: MacSync Stealer v1.1.2 (claude1)
- Dropper SHA256:
bd348a40261aa2d95566ccdc4e6f304ff25aa97d34e5c713c77c937583ad04f0 - C2 Domain: oklahomawarehousing[.]com
- Lure URL: sites.google.com/view/claud-version-0505
- Trojanized Ledger Live SHA256:
1abf943e97356e07bde23663da544e7c106afc19827a2106361a52035737de43 - File Artifacts:
/tmp/osalogging.zip,/tmp/sync*/
The campaign underscores the rising threat of malvertising combined with developer-targeted social engineering, enabling attackers to compromise both system access and high-value crypto assets in a single infection flow.
Source: https://gbhackers.com/macsync-stealer-hijacks-macos-via-fake-claude-code/
Google cybersecurity rating report: https://www.rankiteo.com/company/google
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
"id": "GOOANT1782908805",
"linkid": "google, anthropicresearch",
"type": "Cyber Attack",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Software Development, Cryptocurrency',
'type': 'Individuals (Developers, Crypto Users)'}],
'attack_vector': 'Malvertising (Google Ads), Social Engineering (InstallFix '
'pattern)',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['ZIP (osalogging.zip)',
'Browser profiles',
'Keychain data',
'Crypto wallet files'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, financial, authentication '
'data)',
'type_of_data_compromised': ['Browser credentials',
'Cookies',
'SSH keys',
'AWS credentials',
'Telegram sessions',
'Cryptocurrency wallet '
'extensions',
'macOS keychain data']},
'description': 'Security researchers at Beezlebub uncovered *MacSync '
'Stealer*, a newly identified macOS infostealer distributed '
'through a deceptive malvertising campaign on Google Ads. The '
'attack impersonates *Anthropic’s Claude Code CLI*, exploiting '
'developer trust in search results to deliver a multi-stage '
'infection chain that harvests credentials, crypto wallets, '
'and sensitive system data.',
'impact': {'data_compromised': 'Browser credentials, cookies, SSH keys, AWS '
'credentials, Telegram sessions, '
'cryptocurrency wallet extensions (80+), macOS '
'keychain data',
'identity_theft_risk': 'High (PII, credentials, crypto wallets)',
'operational_impact': 'Potential unauthorized access to sensitive '
'systems, crypto asset theft',
'payment_information_risk': 'High (crypto wallet seed phrases, '
'browser-stored payment data)',
'systems_affected': 'macOS systems (developers and crypto users)'},
'initial_access_broker': {'backdoors_established': 'Trojanized Electron '
'app.asar (Ledger '
'Live/Wallet)',
'entry_point': 'Google Ads malvertising (sponsored '
'search results)',
'high_value_targets': ['Developers',
'Cryptocurrency users']},
'lessons_learned': 'Rising threat of malvertising combined with '
'developer-targeted social engineering; critical flaws in '
'malware execution (e.g., blocking dialog) can reduce '
'attack success rates.',
'motivation': 'Financial gain (crypto wallet theft, credential harvesting)',
'post_incident_analysis': {'corrective_actions': ['Block known malicious '
'domains (e.g., '
'oklahomawarehousing[.]com).',
'Educate developers on '
'verifying CLI tool '
'installation sources.',
'Deploy macOS endpoint '
'protection to detect '
'keychain access and ZIP '
'exfiltration.'],
'root_causes': ['Exploitation of developer trust '
'in search results (Google Ads '
'malvertising).',
'Social engineering (InstallFix '
'pattern) to trick users into '
'executing malicious terminal '
'commands.',
'Multi-stage infection chain with '
'obfuscation (triple-encoded zsh '
'dropper, randomized variables).']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Verify installation sources for developer tools (avoid '
'sponsored ads for CLI tools).',
'Monitor for unusual terminal activity or unexpected '
'password prompts.',
'Use hardware wallets for cryptocurrency storage to '
'mitigate trojanized app risks.',
'Implement endpoint detection for macOS systems to '
'identify infostealer behavior (e.g., keychain access, '
'ZIP exfiltration).'],
'references': [{'source': 'Beezlebub Security Research'}],
'title': 'MacSync Stealer: Sophisticated macOS Malware Targets Developers via '
'Malvertising',
'type': 'Malware (Infostealer)'}