Cybercriminals are taking advantage of Google Search Ads to trick Mac users into visiting fake websites that promise to clean their computers.
These sponsored ads appear when users search for common terms like “mac cleaner” or “clear cache macos,” making them look legitimate at first glance.
The landing pages are designed to resemble Apple’s official website, complete with familiar layouts and navigation menus. However, beneath this professional appearance lies a dangerous scheme that targets unsuspecting Mac owners.
The attackers have set up fake posts on platforms like Medium and Google’s own services to distribute malicious instructions that can give hackers full control of a victim’s computer.
The attack campaign exploits a simple but effective tactic: users trust Google’s advertising system and recognize Apple’s design language.
.webp "Threat Actors Leverage Google Search Ads for 'Mac Cleaner' to Direct Users to Malicious Websites 2")
When they click on these ads, they get redirected to pages filled with technical-sounding instructions about freeing up disk space or installing system updates.
MacKeeper analysts identified that the threat actors are using hijacked Google Ads accounts to run this operation, suggesting they may have compromised legitimate advertiser profiles belonging to users like Nathaniel Josue Rodriguez and companies such as Aloha Shirt Shop.
How the Malware Infection Works
The core of this attack relies on a deceptively simple but powerful command disguised as legitimate system maintenance.
When users copy and paste the provided instructions into their Terminal application, they unknowingly trigger a remote code execution attack.
.webp "Threat Actors Leverage Google Search Ads for 'Mac Cleaner' to Direct Users to Malicious Websites 4")
The command chain starts with an innocent-looking instruction that reads “Cleaning macOS Storage” or “Installing packages please wait,” which are merely social engineering tactics designed to make users feel confident they are performing normal maintenance.
Beneath these friendly messages lies base64-encoded text that hides the real attack code.
The system decodes this hidden text using the base64 command, which transforms it into an actual shell command that downloads a malicious script from a remote server without any user knowledge or consent.
Once downloaded, this script runs with full user permissions, giving attackers the ability to install malware, steal SSH keys, create system backdoors, mine cryptocurrency, steal personal files, or modify critical system settings.
The attackers use various obfuscation techniques to hide where the commands actually connect, making detection more difficult.
This pattern of disguised downloads and automatic execution is extremely common in professional malware operations and supply chain attacks.
MacKeeper researchers successfully identified and reported these dangerous ads to Google, and the tech giant has taken action to remove them from search results.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
