Search...

Warning for Mac users: Fake Claude AI application targets user information

Investigations have revealed a newly identified malware strain known as MacSync Stealer, which targets the macOS operating system. According to available information, the malware is being distributed through a malicious advertising campaign conducted via Google Ads and masquerades as the Claude Code CLI tool.

Analysis indicates that the attack employs a multi-stage attack chain, ranging from social engineering techniques to system compromise, credential theft and the hijacking of cryptocurrency wallets.

Threat actors target users conducting searches such as “claude code mac install” on Google. Victims are redirected through sponsored advertisements to a fraudulent website designed to imitate a legitimate software installation portal. The website instructs users to execute a specific command in the terminal, thereby facilitating the initial stage of the compromise.

 

posts/2026/07/vU7EITWtoDs6P8tibHLhrYutpl93Faek70Hwvz7o.jpg

 

During the initial stage of the attack, a multi-layer encoded script is executed. The malware subsequently establishes communication with a command-and-control (C2) server and downloads additional malicious components onto the compromised system. This initiates a multi-stage infection process, allowing the malware to operate covertly within the victim’s environment.

The primary payload, identified as MacSync Stealer v1.1.2, initially terminates the Terminal application in an effort to conceal traces of malicious activity. It then displays a fraudulent authentication prompt designed to resemble a legitimate macOS system dialog and requests the user’s login password.

Once the password is obtained, the malware gains access to various system security mechanisms and begins harvesting sensitive information. The collected data includes browser-stored credentials, cookies, SSH keys, cloud service credentials, messaging application sessions and information associated with numerous cryptocurrency wallets.

The harvested data is temporarily stored, archived and subsequently transmitted in segments to infrastructure controlled by the threat actors.

According to the information, the attack extends beyond conventional information theft. Users with certain cryptocurrency-related applications installed on their systems face an additional level of risk. The malware modifies critical application files and replaces them with trojanized versions.

As a result, after the affected application is launched, victims are presented with a fraudulent recovery page and prompted to enter their cryptocurrency wallet seed phrase. The submitted information is then transmitted directly to servers controlled by the attackers, potentially leading to the complete loss of the victim’s digital assets.

Security experts note that this campaign demonstrates the increasing effectiveness of malicious advertising and social engineering techniques employed by cybercriminals. MacSync Stealer is regarded as a significant threat due to its ability to combine credential theft with cryptocurrency wallet compromise within a single attack chain.

Indicators of Compromise (IOCs)

As a result of the analysis, the following Indicators of Compromise (IOCs) associated with the campaign have been identified:

  • Malware: MacSync Stealer v1.1.2 (build tag: claude1)
  • Dropper SHA256 Hash: bd348a40261aa2d95566ccdc4e6f304ff25aa97d34e5c713c77c937583ad04f0
  • Command-and-Control (C2) Domain: oklahomawarehousing.com
  • URL Paths: /dynamic, /gate, /curl, /ledger/live
  • API Key: 5190ef1733183a0dc63fb623357f56d6
  • Fraudulent Installation Page: sites.google.com/view/claud-version-0505
  • Trojanized Ledger Live SHA256 Hash: 1abf943e97356e07bde23663da544e7c106afc19827a2106361a52035737de43
  • File Artifacts: /tmp/osalogging.zip, /tmp/sync*/

 

Government institutions and Security Operations Centers (SOCs) are advised to integrate the identified indicators into their security monitoring and detection systems, conduct threat-hunting activities based on the listed domains and file artifacts and perform additional forensic analysis to identify potential signs of compromise within their environments.

 

© 2011-2026 All rights reserved