MacSync Stealer Hijacks macOS via Fake Claude Code Google Ads – Full Attack Chain Exposed
ID: ca8648f0-1496-543b-b2ad-de361c8491cf
STIX ID: report--ca8648f0-1496-543b-b2ad-de361c8491cf
Feed Name: GBHackers
MacSync Stealer is a newly discovered macOS infostealer propagated via malvertising on Google Ads that impersonates Anthropic’s Claude Code CLI; a triple-encoded zsh dropper and three-stage payload chain deliver an AppleScript-based stealer which harvests login credentials, macOS keychain items, browser data, SSH/AWS secrets, Telegram sessions, and targets Ledger Live by trojanizing its Electron asar to phish seed phrases. The report includes technical TTPs, SHA256 hashes, C2 domain and API key, file artifacts, and notes limitations (user interaction gating and incomplete upload fragility).
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
