ThreatCluster

MacSync Stealer Targets macOS via Malicious Google Ads Campaign

First seen 2 Jul 2026, 01:33 UTC GbhackersCybersecuritynews 88% similarity 65
Share:

Article Content

Browse articles
ThreatCluster

The MacSync Stealer, a newly identified macOS infostealer, is being distributed through a sophisticated malvertising campaign on Google Ads that mimics Anthropic’s Claude Code CLI. Security researchers from Beezlebub Labs have detailed a multi-stage infection process that includes social engineering, credential harvesting, and persistent hijacking of cryptocurrency wallets. The malware not only steals credentials but also compromises Ledger Live and Ledger Wallet applications to extract crypto seed phrases. This campaign poses a significant risk to macOS users, particularly those involved in cryptocurrency transactions. The full scope of the attack and the number of affected users is still under investigation. The researchers utilized their threat-intel platform Caronte to reverse-engineer the malware and understand its operation. As of now, the campaign remains active, and users are advised to exercise caution when interacting with ads related to Claude Code.

Key Points: • MacSync Stealer is distributed via Google Ads impersonating Claude Code CLI. • The malware targets macOS systems, stealing credentials and compromising crypto wallets. • Beezlebub Labs has reverse-engineered the attack, revealing its multi-stage infection process.

ThreatCluster AI

Timeline

2026-07-01
MacSync Stealer campaign discovered
Researchers from Beezlebub Labs uncovered a malvertising campaign on Google Ads delivering the MacSync Stealer targeting macOS users.
Gbhackers
2026-07-01
Malware reverse-engineered
Beezlebub Labs utilized their Caronte platform to fully reverse-engineer the MacSync Stealer, revealing its capabilities and infection methods.
Cybersecuritynews

Community

Browse all →