MacSync Stealer Targets macOS via Malicious Google Ads Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The MacSync Stealer, a newly identified macOS infostealer, is being distributed through a sophisticated malvertising campaign on Google Ads that mimics Anthropic’s Claude Code CLI. Security researchers from Beezlebub Labs have detailed a multi-stage infection process that includes social engineering, credential harvesting, and persistent hijacking of cryptocurrency wallets. The malware not only steals credentials but also compromises Ledger Live and Ledger Wallet applications to extract crypto seed phrases. This campaign poses a significant risk to macOS users, particularly those involved in cryptocurrency transactions. The full scope of the attack and the number of affected users is still under investigation. The researchers utilized their threat-intel platform Caronte to reverse-engineer the malware and understand its operation. As of now, the campaign remains active, and users are advised to exercise caution when interacting with ads related to Claude Code.
Key Points: • MacSync Stealer is distributed via Google Ads impersonating Claude Code CLI. • The malware targets macOS systems, stealing credentials and compromising crypto wallets. • Beezlebub Labs has reverse-engineered the attack, revealing its multi-stage infection process.