{"id":43700,"date":"2026-02-16T22:08:45","date_gmt":"2026-02-16T14:08:45","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/16\/google-ads-and-claude-ai-abused-to-spread-macsync-malware-via-clickfix\/"},"modified":"2026-02-16T22:08:45","modified_gmt":"2026-02-16T14:08:45","slug":"google-ads-and-claude-ai-abused-to-spread-macsync-malware-via-clickfix","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/16\/google-ads-and-claude-ai-abused-to-spread-macsync-malware-via-clickfix\/","title":{"rendered":"Google Ads and Claude AI Abused to Spread MacSync Malware via ClickFix"},"content":{"rendered":"\n<p>Cyber security researchers at Moonlock Lab, the investigative unit of the popular software developer MacPaw, have uncovered a clever new way that hackers are targeting Mac users. This campaign uses the <a href=\"https:\/\/hackread.com\/tag\/ClickFix\/\" target=\"_blank\" rel=\"noreferrer noopener\">ClickFix<\/a> technique, where people are tricked into copying and pasting dangerous commands directly into their computer&#8217;s Terminal and the attack starts with a simple Google search.<\/p>\n<h3><strong>How the Trap is Set<\/strong><\/h3>\n<p>The hackers managed to hijack legitimate, verified <a href=\"https:\/\/hackread.com\/malicious-google-ads-mac-fake-mac-cleaner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Ads<\/a> accounts belonging to Earth Rangers, a Canadian children&#8217;s charity, and a Colombian watch retailer called T S Q SA. Because these accounts have an established history and a good reputation, their malicious adverts bypassed Google\u2019s security checks without any verification alarms.<\/p>\n<p>When users search for common technical terms like &#8220;online DNS resolver,&#8221; &#8220;HomeBrew,&#8221; or &#8220;macos cli disk space analyzer,&#8221; they are shown a &#8220;sponsored&#8221; link at the top of the results. As the team at Moonlock Lab recently shared in a series of posts on X (formerly Twitter): &#8220;What if a Google Sponsored result for a common macOS query led to malware? That&#8217;s happening right now.&#8221;<\/p>\n<figure>\n<div>\n<blockquote data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\ud83e\uddf5 1\/ \ud83d\udea8 What if a Google Sponsored result for a common macOS query led to malware? That&#39;s happening right now and 15K+ people have already seen it.<br \/>We at @MoonlockLab observed 2 variants today abusing legitimate platforms for ClickFix delivery: a <a href=\"https:\/\/twitter.com\/AnthropicAI?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener\">@AnthropicAI<\/a> public artifact on\u2026 <a href=\"https:\/\/t.co\/e1ocnQPmV4\">pic.twitter.com\/e1ocnQPmV4<\/a><\/p>\n<p>&mdash; Moonlock Lab (@moonlock_lab) <a href=\"https:\/\/twitter.com\/moonlock_lab\/status\/2021695650367226108?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener\">February 11, 2026<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>These results lead to one of two traps:<\/p>\n<ol>\n<li>A Claude AI Artifact: A public page on the official Claude AI website titled &#8220;macOS Secure Command Execution.&#8221; Moonlock researchers warned that this fake guide had already been viewed over 15,600 times.<\/li>\n<li>A Medium Article: A post hosted at apple-mac-disk-space.mediumcom, which is designed to impersonate the official Apple Support Team.<\/li>\n<\/ol>\n<h3><strong>The ClickFix Trick<\/strong><\/h3>\n<p>As is generally observed, most people trust information found on official-looking platforms. These pages provide a specific line of code and instruct the user to paste it into their Terminal to fix a problem or install a tool. Once a user runs this command, it secretly downloads the <a href=\"https:\/\/hackread.com\/macsync-stealer-mac-app-saved-passwords\/\" target=\"_blank\" data-type=\"post\" data-id=\"139025\" rel=\"noreferrer noopener\">MacSync infostealer<\/a>.<\/p>\n<p>While all infostealers are designed to quietly hunt for private data, MacSync is particularly thorough. It targets your Keychain (where <a href=\"https:\/\/hackread.com\/macos-users-python-infostealers-posing-ai-installers\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS<\/a> stores system passwords), browser-saved logins, and private keys from cryptocurrency wallets. The stolen data is then bundled into a file named osalogging.zip and sent straight to the hackers&#8217; server.<\/p>\n<p>This isn&#8217;t the first time AI tools have been used this way; similar tricks were recently spotted using <a href=\"https:\/\/hackread.com\/fake-chatgpt-atlas-clickfix-steal-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">ChatGPT<\/a> and <a href=\"https:\/\/cybersecuritynews.com\/threat-actors-weaponize-chatgpt-grok-to-distribute-amos-stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Grok<\/a> to spread malware.<\/p>\n<h3><strong>Staying Safe<\/strong><\/h3>\n<p>Researchers at Moonlock Lab believe the same group is behind both variants of the attack. Specifically, the malicious commands in both the Claude and Medium guides connect to the same Command-and-Control (C2) server to download the final payload. It is worth noting that MacSync is actually a more advanced rebrand of an older malware called Mac.c, proving that these hackers are constantly refining their tools.<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<p>To stay safe, never paste a command into your Terminal if you do not fully understand what it does. It is always safer to download software directly from official websites rather than following links found in sponsored search results.<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" rel=\"author\"> \t\t\t\t\t\t\tDeeba Ahmed\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" rel=\"author\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"Google Ads and Claude AI Abused to Spread MacSync Malware via ClickFix\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tDeeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform\u2019s trusted coverage.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cyber security researchers at Moonlock Lab, the investi [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-43700","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43700","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43700"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43700\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}