A sophisticated malware campaign targeting macOS users through Google-sponsored search results and legitimate platforms, including Anthropic\u2019s Claude AI<\/a> and Medium. <\/p>\n The campaign has already reached over 15,000 potential victims through two distinct attack variants that exploit users\u2019 trust in established online services.<\/p>\n The first attack vector leverages Google Ads to promote a malicious Claude AI artifact disguised as a legitimate macOS security guide. <\/p>\n When users search for \u201cOnline dns resolver,\u201d they encounter a sponsored link directing them to a public Claude artifact titled \u201cmacOS Secure Command Execution.\u201d <\/p>\n This fake guide instructs users to paste a base64-encoded command into their Terminal application. The command decodes and executes a malicious shell script that downloads the MacSync information stealer malware<\/a>.<\/p>\n Once executed, the malware establishes communication with its command-and-control server at a2abotnet[.]com\/dynamic using a hardcoded authentication token and API key. <\/p>\n To evade detection, the malware spoofs legitimate macOS browser User-Agent strings, making its network traffic appear as normal web browsing activity. <\/p>\n The payload fetches an AppleScript component that performs the actual data theft operations, targeting sensitive information such as keychain credentials, browser data, and cryptocurrency wallet files.<\/p>\n Cybersecurity researchers at Moonlock Lab<\/a>, the stolen data gets compressed into \/tmp\/osalogging.zip before exfiltration to a2abotnet[.]com\/gate via HTTP POST requests. <\/p>\n The malware includes sophisticated retry mechanisms for handling large data transfers, including chunked uploads with up to 8 retry attempts and exponential backoff. After successful data transmission, the malware removes staging files to cover its tracks.<\/p>\n The second attack variant targets users searching for \u201cmacos cli disk space analyzer\u201d through a Medium article published at apple-mac-disk-space.medium[.]com. <\/p>\n This article impersonates Apple\u2019s official Support Team and employs the same ClickFix social engineering technique<\/a>. However, this variant uses double-layered encoding and a different hosting infrastructure. <\/p>\n The malicious command uses string concatenation tricks (cur\u201d\u201dl instead of curl) to bypass simple pattern-matching detection systems and YARA rules.<\/p>\n Both variants demonstrate the growing trend of threat actors abusing legitimate platforms and trusted services to distribute malware. <\/p>\n The use of Google Ads for malware delivery highlights the critical importance of verifying sources even when they appear in sponsored search results. <\/p>\n Users should exercise extreme caution when copying and executing terminal commands from any online source, regardless of how legitimate the platform appears.<\/p>\n MacOS users are advised to avoid executing terminal commands from unfamiliar sources. They should verify the authenticity of support articles claiming to be from Apple or other trusted vendors. <\/p>\n Organizations should implement endpoint detection solutions <\/a>capable of monitoring suspicious terminal activity and network connections to unknown command-and-control servers.<\/p>\n IOC Table<\/strong><\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Threat Actors Exploit Claude Artifacts and Google Ads to Target macOS Users<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"15,000](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/02\/image-23-1024x615.png?resize=1024%2C615&ssl=1\")
![\"Few](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/02\/image-24-1024x754.png?resize=1024%2C754&ssl=1\")
![\"Malicious](\"https:\/\/i0.wp.com\/cybersecuritynews.com\/wp-content\/uploads\/2026\/02\/image-26-1024x311.png?resize=1024%2C311&ssl=1\")
\n\n
\n \nIndicator Type<\/th>\n Indicator<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n Domain<\/td>\n a2abotnet[.]com<\/td>\n Command and control server<\/td>\n<\/tr>\n \n Domain<\/td>\n raxelpak[.]com<\/td>\n Payload hosting domain<\/td>\n<\/tr>\n \n Domain<\/td>\n apple-mac-disk-space.medium[.]com<\/td>\n Fake Apple support article<\/td>\n<\/tr>\n \n File Path<\/td>\n \/tmp\/osalogging.zip<\/td>\n Staging file for stolen data<\/td>\n<\/tr>\n \n Malware<\/td>\n MacSync<\/td>\n Information stealer targeting macOS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n