{"id":11869,"date":"2026-02-16T20:50:54","date_gmt":"2026-02-16T20:50:54","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=11869"},"modified":"2026-02-16T20:50:54","modified_gmt":"2026-02-16T20:50:54","slug":"google-adverts-and-claude-ai-abused-to-unfold-macsync-malware-by-way-of-clickfix","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=11869","title":{"rendered":"Google Adverts and Claude AI Abused to Unfold MacSync Malware by way of ClickFix"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>Cyber safety researchers at Moonlock Lab, the investigative unit of the favored software program developer MacPaw, have uncovered a intelligent new method that hackers are focusing on Mac customers. This marketing campaign makes use of the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/hackread.com\/tag\/ClickFix\/\" target=\"_blank\" rel=\"noreferrer noopener\">ClickFix<\/a> approach, the place persons are tricked into copying and pasting harmful instructions instantly into their laptop\u2019s Terminal and the assault begins with a easy Google search.<\/p>\n<h3 id=\"how-the-trap-is-set\" class=\"wp-block-heading\"><strong>How the Lure is Set<\/strong><\/h3>\n<p>The hackers managed to hijack professional, verified <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/hackread.com\/malicious-google-ads-mac-fake-mac-cleaner\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Adverts<\/a> accounts belonging to Earth Rangers, a Canadian kids\u2019s charity, and a Colombian watch retailer referred to as T S Q SA. As a result of these accounts have a longtime historical past and a very good popularity, their malicious adverts bypassed Google\u2019s safety checks with none verification alarms.<\/p>\n<p>When customers seek for frequent technical phrases like \u201con-line DNS resolver,\u201d \u201cHomeBrew,\u201d or \u201cmacos cli disk area analyzer,\u201d they&#8217;re proven a \u201csponsored\u201d hyperlink on the prime of the outcomes. Because the crew at Moonlock Lab not too long ago shared in a sequence of posts on X (previously Twitter): \u201cWhat if a Google Sponsored end result for a standard macOS question led to malware? That\u2019s taking place proper now.\u201d<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\ud83e\uddf5 1\/ \ud83d\udea8 What if a Google Sponsored end result for a standard macOS question led to malware? That is taking place proper now and 15K+ individuals have already seen it.<br \/>We at @MoonlockLab noticed 2 variants at the moment abusing professional platforms for ClickFix supply: a <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/AnthropicAI?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener\">@AnthropicAI<\/a> public artifact on\u2026 <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/t.co\/e1ocnQPmV4\">pic.twitter.com\/e1ocnQPmV4<\/a><\/p>\n<p>\u2014 Moonlock Lab (@moonlock_lab) <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/twitter.com\/moonlock_lab\/status\/2021695650367226108?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener\">February 11, 2026<\/a><\/p><\/blockquote>\n<\/div>\n<\/figure>\n<p>These outcomes result in certainly one of two traps:<\/p>\n<ol class=\"wp-block-list is-style-cnvs-list-styled\">\n<li>A Claude AI Artifact: A public web page on the official Claude AI web site titled \u201cmacOS Safe Command Execution.\u201d Moonlock researchers warned that this faux information had already been seen over 15,600 occasions.<\/li>\n<li>A Medium Article: A submit hosted at apple-mac-disk-space.mediumcom, which is designed to impersonate the official Apple Help Staff.<\/li>\n<\/ol>\n<h3 id=\"the-clickfix-trick\" class=\"wp-block-heading\"><strong>The ClickFix Trick<\/strong><\/h3>\n<p>As is mostly noticed, most individuals belief info discovered on official-looking platforms. These pages present a particular line of code and instruct the consumer to stick it into their Terminal to repair an issue or set up a instrument. As soon as a consumer runs this command, it secretly downloads the <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/hackread.com\/macsync-stealer-mac-app-saved-passwords\/\" target=\"_blank\" data-type=\"post\" data-id=\"139025\" rel=\"noreferrer noopener\">MacSync infostealer<\/a>.<\/p>\n<p>Whereas all infostealers are designed to quietly hunt for personal knowledge, MacSync is especially thorough. It targets your Keychain (the place <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/hackread.com\/macos-users-python-infostealers-posing-ai-installers\/\" target=\"_blank\" rel=\"noreferrer noopener\">macOS<\/a> shops system passwords), browser-saved logins, and personal keys from cryptocurrency wallets. The stolen knowledge is then bundled right into a file named osalogging.zip and despatched straight to the hackers\u2019 server.<\/p>\n<p>This isn\u2019t the primary time AI instruments have been used this fashion; comparable methods had been not too long ago noticed utilizing <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/hackread.com\/fake-chatgpt-atlas-clickfix-steal-passwords\/\" target=\"_blank\" rel=\"noreferrer noopener\">ChatGPT<\/a> and <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/cybersecuritynews.com\/threat-actors-weaponize-chatgpt-grok-to-distribute-amos-stealer\/\" target=\"_blank\" rel=\"noreferrer noopener\">Grok<\/a> to unfold malware.<\/p>\n<h3 id=\"staying-safe\" class=\"wp-block-heading\"><strong>Staying Protected<\/strong><\/h3>\n<p>Researchers at Moonlock Lab imagine the identical group is behind each variants of the assault. Particularly, the malicious instructions in each the Claude and Medium guides connect with the identical Command-and-Management (C2) server to obtain the ultimate payload. It&#8217;s value noting that MacSync is definitely a extra superior rebrand of an older malware referred to as Mac.c, proving that these hackers are always refining their instruments.<\/p>\n<p>To remain secure, by no means paste a command into your Terminal if you don&#8217;t totally perceive what it does. It&#8217;s at all times safer to obtain software program instantly from official web sites fairly than following hyperlinks present in sponsored search outcomes.<\/p>\n<p>\n\t\t\t<\/div>\n<p><template id="sBuseZ8LzNx22lR1po03"></template><\/script><template id="UR8R5JhLr3581nPeWeYg"></template><\/script><br \/>\n<br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cyber safety researchers at Moonlock Lab, the investigative unit of the favored software program developer MacPaw, have uncovered a intelligent new method that hackers are focusing on Mac customers. This marketing campaign makes use of the ClickFix approach, the place persons are tricked into copying and pasting harmful instructions instantly into their laptop\u2019s Terminal and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":11871,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[1603,1348,458,3639,81,7879,216,1867],"class_list":["post-11869","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-abused","tag-ads","tag-claude","tag-clickfix","tag-google","tag-macsync","tag-malware","tag-spread"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/11869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11869"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/11869\/revisions"}],"predecessor-version":[{"id":11870,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/11869\/revisions\/11870"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/11871"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 69c6f7b5190636d50e9f6768. Config Timestamp: 2026-03-27 21:33:41 UTC, Cached Timestamp: 2026-04-09 20:28:48 UTC -->