Listen to this Post

Introduction:
A malvertising campaign disclosed on May 10 by security researcher Berk Albayrak is abusing two trusted platforms—Google Ads and Anthropic’s Claude.ai shared chats—to distribute a variant of the MacSync infostealer. By disguising itself as an official “Claude Code on Mac” installation guide, the attack chain leverages legitimate infrastructure to bypass traditional web filters and trick users into manually executing malicious terminal commands, ultimately harvesting browser credentials, session cookies, and macOS Keychain contents.
Learning Objectives:
- Understand the multi-stage attack flow, from poisoned Google Ads to legitimate Claude shared chats.
- Identify the technical indicators of compromise (IoCs), including domains, SHA-256 hashes, and polymorphic payload behaviors.
- Implement hands-on detection, prevention, and hardening techniques using macOS commands, YARA rules, and endpoint monitoring.
- Anatomy of the MacSync Infection Chain (What the Post Reveals)
The campaign begins when a user searches for terms such as “Claude download mac” on Google. Attackers purchase sponsored search placements that display claude.ai as the visible destination, making the ad visually indistinguishable from an authentic Anthropic result.
Clicking the ad redirects victims to a legitimate publicly shared Claude.ai chat that the attackers control. The shared chat is staged to impersonate Apple Support representatives and presents victims with an installation guide that instructs them to copy-paste a base64-encoded terminal command. The provided command, when pasted into macOS Terminal, pipes the disguised content directly into the Z shell (zsh) for immediate execution, stealthily downloading the MacSync malware variant.
What makes this clever: the attack does not use a fake domain. The URL displayed in the ads is the authentic claude.ai, invalidating one of the most basic verification mechanisms users rely on.
Technical Indicators:
| Type | Value |
|||
| SHA-256 hash (payload) | bbd98170ea66c8d13605cb88ad0e18602ef40c0745f7b2c979a8a342a31c1857 |
| C2 domain | customroofingcontractors[.]com |
| Malicious Google Sites pages | sites[.]google[.]com/view/cloud-version-08, /view/brewshka-page, /view/claud-version-0505 |
| Fake Framer page | claude-desktop-app[.]framer[.]ai |
| Redirect IP/domains | 2[.]26[.]75[.]112/Hokojol, pieoneer[.]org, greenactiv[.]com |
- Step‑by‑Step: Detect Ongoing Infection on macOS (Terminal Commands)
If you suspect a system has been compromised or want to check for indicators, run these commands in macOS Terminal:
2.1 Check running processes for suspicious ZSH or python activity
ps aux | grep -E "(zsh|bash|python|curl|wget|osascript)" | grep -v grep
Look for processes that originated from /tmp or unexpected locations.
2.2 Review recent command history
history | tail -50 cat ~/.zsh_history | tail -100
Search for base64-encoded strings, curl/wget commands pointing to suspicious domains, or piping (|) to shell.
2.3 Check for MacSync staging directory
ls -la /tmp/salmonela/ 2>/dev/null
Earlier MacSync variants staged files under `/tmp/salmonela/`.
2.4 Examine LaunchAgents and LaunchDaemons for persistence
ls -la ~/Library/LaunchAgents/ | grep -v com.apple sudo ls -la /Library/LaunchDaemons/ | grep -v com.apple
MacSync creates hidden launch agents to maintain persistence across reboots.
2.5 Monitor network connections to known C2 infrastructure
sudo lsof -i | grep -E "(customroofingcontractors|pieoneer|greenactiv)" sudo netstat -an | grep -E "(ESTABLISHED|LISTEN)"
2.6 Run macOS built-in malware removal tool (MRT)
/System/Library/CoreServices/MRT.app/Contents/MacOS/MRT
MRT detects known malware families including OSX/Proton and SilverSparrow.
2.7 Full filesystem scan for suspicious binaries
sudo find / -type f -perm +111 -exec file {} \; | grep -E "(Mach-O|executable)" | grep -v "APPLE"
- Defensive Linux & Windows Hardening Against Similar AI‑Abuse Attacks
While this campaign specifically targets macOS, Windows and Linux users are equally vulnerable to malvertising attacks abusing AI platforms.
Enable logging on Windows Event Viewer to detect unusual PowerShell executions:
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -match "DownloadString|Invoke-Expression|Base64" }
Linux: Monitor for encoded commands in bash history:
grep -E "base64|curl.sh|wget.sh" ~/.bash_history
Implement browser ad-blocking across all platforms:
- Install uBlock Origin to block Google Search sponsored links
- Consider AdGuard or Pi-hole for network-level filtering of malvertising domains
Windows: Configure AppLocker or WDAC to restrict script execution to signed scripts only.
- How the MacSync Infostealer Operates and What It Steals
Once active in memory, MacSync operates as a comprehensive macOS stealer. It performs three main functions:
4.1 System profiling and geofencing
The malware checks the device’s keyboard locale setting and aborts the infection if it detects a Russian-language or CIS regional configuration. This deliberate geographic exclusion is associated with threat actors operating from those regions. In profiling mode, it collects:
– External IP address
– Device hostname
– macOS version
– Keyboard locale settings
4.2 Data extraction
The malware extracts stored credentials and session cookies from major browsers and specifically targets the macOS Keychain—the system-level secure storage holding Wi-Fi passwords, application credentials, and cryptographic certificates. Access to Keychain gives attackers broad visibility into enterprise VPNs, cloud storage services, and internal tools.
4.3 In-memory execution and polymorphism
The payload executes entirely in memory rather than writing a persistent binary to disk, reducing detection likelihood. The obfuscation is polymorphic—each request to the delivery server returns a functionally identical but structurally unique script, undermining signature-based detection.
- Build a YARA Rule to Detect MacSync in Forensic Analysis
Create a custom YARA rule to hunt for MacSync across your macOS environment:
rule MacSync_Infostealer_2025 {
meta:
description = "Detects MacSync infostealer indicators"
author = "Security Team"
date = "2025-05-11"
reference = "customroofingcontractors[.]com"
strings:
$c2_domain = "customroofingcontractors.com" wide ascii
$base64_pattern = /[A-Za-z0-9+\/]{40,}={0,2}/
$zsh_exec = "zsh" wide ascii
$keychain_access = "security dump-keychain" wide ascii
$tmp_staging = "/tmp/salmonela/" wide ascii
condition:
($c2_domain or $keychain_access or $tmp_staging) and $zsh_exec
}
Run the rule using `yara` command-line tool:
yara -w -r MacSync_Infostealer_2025.yar /System/Volumes/Data
6. Prevention: Secure Your Google Ads Search Behavior
The most effective defense is behavioral. Security researcher Berk Albayrak recommends:
- Ignore sponsored search results entirely. Scroll past the “Sponsored” label to organic listings
- Type the vendor URL directly. Navigate manually to `claude.ai` or `anthropic.com` instead of clicking Google search results
- Never paste terminal commands from shared chats, forums, or unknown setup guides even when hosted on legitimate domains
- Enable macOS Gatekeeper and Notarization: `sudo spctl –master-enable`
For enterprise deployments:
- Block known C2 domains at network level (customroofingcontractors[.]com, pieoneer[.]org, greenactiv[.]com)
- Deploy EDR solutions that monitor zsh script execution and investigate base64-decoded commands
- Use browser extension policies to enforce ad-blocking across all managed devices
7. Incident Response Playbook for macOS Malvertising Attacks
If an infection is confirmed:
- Isolate the affected Mac from network (disable Wi-Fi/ethernet).
2. Capture memory for forensic analysis:
sudo avimager -f /Volumes/ExternalDrive/memory_dump.aff4
3. Collect key forensic artifacts:
sudo asr -source / -target /Volumes/ExternalDrive/ -noprompt cp ~/.zsh_history /Volumes/ExternalDrive/ cp ~/Library/Keychains/ /Volumes/ExternalDrive/
4. Kill malicious processes:
kill -9 $(ps aux | grep -E "MacSync|salmonela" | awk '{print $2}')
5. Remove persistence mechanisms:
rm -rf /tmp/salmonela/ launchctl unload ~/Library/LaunchAgents/com.apple.softwareupdates.plist
6. Reset all credentials stored in Keychain and browsers—assume they are compromised.
What Undercode Says
- Keywords are a honeypot: Threat actors purchase search ads for high-intent, technical search terms like “Claude download mac” because they know developers are conditioned to copy-paste terminal commands from online guides.
- Trusted infrastructure cannot be trusted: Attackers no longer need fake domains. Legitimate platforms like Claude.ai, Google Sites, and Framer are weaponized to bypass security filters and lower user suspicion.
- Polymorphism and in-memory execution are the new normal: Signature-based AV is obsolete against campaigns that deliver unique payloads per request and never write to disk. Behavioral detection and EDR are essential.
- MacOS is not immune: The “Macs don’t get viruses” myth has been definitively shattered. This campaign proves that social engineering + malvertising + in-memory code execution works effectively on macOS.
- User education must evolve: Teaching users to “check the domain” is no longer sufficient. The new rule: never paste terminal commands from any website, forum, or shared chat, regardless of domain legitimacy.
Prediction
This campaign marks a template that will be rapidly adopted by other threat actors. Expect similar attack chains against ChatGPT, Gemini, and other AI platforms within weeks, with more sophisticated variants that deploy ransomware payloads rather than just stealers. Enterprises should anticipate a surge in malvertising targeting AI tooling keywords across all search engines, and security vendors will race to deploy real-time detection for shared-chat infrastructure abuse. Apple will likely release a macOS security update restricting clipboard-to-terminal execution by default, and Google will face pressure to implement more aggressive ad-review processes for AI-branded search terms. The battlefield has shifted: the new threat is not malicious code, but malicious instructions hosted on entirely legitimate platforms.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Divya Kumari – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


