Hijacked Google Ads and Claude.ai posts delivered MacSync—why macOS users and admins must stop pasting ad-sourced commands
The recent MacSync campaign used hijacked Google Ads and user-generated pages on Claude.ai to trick people into pasting obfuscated shell commands into Terminal, delivering a polymorphic infostealer that harvests Keychain items, browser cookies, and crypto keys. Below are the attack’s mechanics, quick checks you can run now, and concrete operational steps for teams and users.
How attackers combined trusted channels to push malware
Attackers compromised legitimate Google advertiser accounts—some tied to unrelated organizations such as a Canadian charity and a Colombian retailer—and bought sponsored search placements for queries like “Claude mac download” and “brew install macos.” Those ads linked to user-generated content pages hosted on claude.ai that presented malicious terminal commands as installation instructions.
The macOS payload, known as MacSync in reporting, arrives as Base64-encoded shell commands the user copies and pastes into Terminal. Those commands decode and execute multi-stage, in-memory payloads (polymorphic per download) that harvest macOS Keychain credentials, browser-stored cookies and wallets, and open a remote backdoor. Some variants profile the victim (region, keyboard layout) before activating to avoid sandboxes; Windows variants used legitimate utilities like mshta.exe to run scripts.
Fast verification steps you can run now
Check for exposure quickly by auditing recent Terminal history, network connections, and process ancestry. Look for unusually long Base64 strings in command history, child processes of /bin/sh or osascript that you didn’t start, and outbound connections to unfamiliar domains or IPs shortly after running a new install command.
| Indicator | Where to check | Immediate action |
|---|---|---|
| Long Base64 string pasted into Terminal | ~/.bash_history, ~/.zsh_history; Terminal UI session | Revoke keys, run offline forensic snapshot, disconnect from network |
| Unexpected osascript or /bin/sh child processes | ps aux, lsof, Activity Monitor (process tree) | Kill processes, capture memory if possible, rotate credentials |
| Outbound traffic to new domains after install | Firewall logs, tcpdump, netstat | Block destinations, preserve logs for analysis |
Why this isn’t “just phishing” and what detection missed
This campaign differs from conventional phishing because the malicious content lived on legitimate domains and came through verified ad slots and Claude.ai pages. Google’s ad review was bypassed because attackers used already-trusted advertiser accounts, not newly created or obviously malicious ones; reports show pages stayed live for hours or days while accruing tens of thousands of views before suspension.
Signature-based defenses also struggled because MacSync delivered polymorphic, in-memory payloads via decoded shell code rather than a persistent installer—payloads changed per fetch and executed without writing a clear disk artifact. Claude.ai’s user-generated content labelling was minimal (often invisible on mobile), which increased user confidence in the instructions and reduced cues that would normally trigger suspicion.
Operational checkpoints for teams and practical user rules
Teams should treat command-line installs surfaced by ads or third-party chat pages as untrusted inputs. Operational controls that materially reduce risk include blocking copy-paste into Terminal for non-admin users, centrally approving install commands via documented sources, and adding simple heuristic detection in endpoint telemetry for long Base64 decodes or repeated child osascript invocations.
For individual users: prefer official project repositories and vendor download pages; if you must follow a command from a forum or chat, inspect it locally (echo the Base64 rather than executing) and verify hashes or source stamps. Monitor how platforms respond: the next checkpoint is whether Claude.ai adds stronger visibility for user-generated posts and whether Google tightens controls on account takeovers and advertiser provenance—both would materially reduce the attack surface used here.
Quick Q&A
Did this exploit an OS vulnerability? No—the attack relied on social engineering and legitimate OS utilities (osascript, /bin/sh) to run code the user pasted, not a kernel or app exploit.
How long were malicious pages active? Reports indicate some ads and claude.ai pages remained live for hours to days, collecting tens of thousands of views before removal and advertiser account suspension.
Should I rotate passwords and keys? If you executed suspicious commands, assume compromise: rotate passwords, revoke API keys and crypto wallet keys where possible, and run a forensic review or consult your incident response provider.
