Malware Spreads via Verified Ads on X Targeting Mac Users

Malware Spreads via Verified Ads on X Targeting Mac Users

First seen 4 Jul 2026, 05:52 UTC 9To5MacGbhackers 75% similarity 64.5

Article Content

Browse articles
ThreatCluster

A ClickFix-style malware campaign was detected spreading through a sponsored ad on X, originating from a verified account. The ad masqueraded as the legitimate Mac app DynamicLake, leading users to a malicious domain, dynamicmacisland[.]com. Victims were instructed to execute Terminal commands to install malware, identified as a variant of Atomic Stealer, tracked as MacSync. The incident highlights vulnerabilities in X's ad approval process, allowing malware to bypass automated scans. The developer of DynamicLake expressed concern over the misuse of their brand and urged users to download only from their official site. Jamf Threat Labs and Malwarebytes are investigating the incident, marking it as a significant security breach for Mac users. This is the first known case of malware spread through ads on X, raising alarms about the platform's ad vetting procedures.

Key Points: • Malware spread via a verified ad on X, posing as a legitimate Mac app. • Victims were misled into executing Terminal commands to install malware. • The incident exposes flaws in X's ad approval process and impacts Mac users.

ThreatCluster AI

Timeline

2026-07-02
Malware campaign detected
A ClickFix-style malware campaign was identified spreading through a sponsored ad on X, targeting Mac users.
9To5Mac
2026-07-02
Malicious domain identified
The ad redirected users to dynamicmacisland[.]com, a lookalike domain with no ties to the legitimate app.
9To5Mac
2026-07-02
Malware payload analyzed
The malware was identified as a variant of Atomic Stealer, tracked as MacSync, with DigitStealer also noted.
9To5Mac
2026-07-04
ConsentFix technique reported
Gbhackers reported on a novel browser-based hijack technique called ConsentFix, exfiltrating Microsoft 365 session tokens.
Gbhackers

Community

Browse all →