Hijacked Google Ads push MacSync malware to Mac users

Bitdefender researchers have identified an active malvertising campaign that uses hijacked Google Ads accounts to deliver malware to Mac users searching for popular software downloads.

The operation relies on sponsored search results that impersonate well-known macOS applications, including 7-Zip, Notepad++, LibreOffice, Microsoft Office, OBS Studio and Final Cut Pro. The ads appear for exact product-name searches, increasing the chance that users click them while looking for legitimate installers.

Rather than sending users to developer sites, the ads redirect to shared Evernote pages designed to look like installation guides. The pages instruct users to open Terminal and paste a Base64-encoded command, which executes malicious code.

Compromised ad accounts

Investigators tracked more than 35 compromised Google Ads accounts and more than 200 malicious ads tied to the campaign. The accounts originated in many countries, including the United States, Canada, Italy, Poland, Brazil, India, Saudi Arabia, Japan, China, Romania, Malta, Slovenia, Germany, the United Kingdom and the United Arab Emirates.

Some hijacked accounts had previously promoted unrelated services such as charities, law firms, commercial businesses and travel agencies. Bitdefender identified at least two accounts previously linked to a US law firm and a US charity that were later used to run malicious ads.

The pattern suggests attackers took over legitimate business profiles rather than creating new advertiser identities. That makes fraudulent placements harder to spot because the accounts may have established histories and billing arrangements.

Evernote redirects

The campaign uses shared Evernote notes hosted under a single account. Each note follows a tutorial-style format with step-by-step guidance centered on running a Terminal command that claims to install the requested application.

This approach shifts execution to the user and avoids the need to host a traditional fake download page. It relies on social engineering and the perceived legitimacy of both sponsored search results and a mainstream cloud service.

MacSync Stealer

The command deploys a newer variant of MacSync Stealer, identified as v1.1.2_release with the build tag "symbiot." The malware is designed for account takeover and financial theft.

The stealer can exfiltrate files and documents. It also harvests browser cookies and login databases, and can collect Telegram data and macOS Notes content. Bitdefender reported that it targets crypto wallets, browser-based crypto extensions and password managers, and may display a fake macOS password prompt to steal system credentials.

The research also found signs of continuity with earlier malvertising operations. Bitdefender reported overlaps in infrastructure and API key reuse, linking the activity to previously documented ClickFix campaigns that used Meta ads to distribute fake installers. The overlaps point to a broader ecosystem operating across major advertising platforms and targeting both macOS and Windows users.

Shift in tactics

The case adds to evidence that threat actors are relying more on legitimate platforms and trusted services than on software vulnerabilities. Sponsored ads give attackers scale and precision, while search-based targeting reaches users at the moment they are trying to download software.

Cloud note and file-sharing services can also serve as intermediaries, complicating takedown and detection because they are widely used for legitimate collaboration and publishing.

Bitdefender advised users to avoid sponsored search results for software downloads and to get applications only from official developer domains. It also warned against running Terminal commands provided by a website, especially when the instructions include encoded strings.

The company said security tools can detect malicious scripts and block persistence mechanisms. Bitdefender added that it will continue monitoring the campaign and update its findings as more infrastructure is identified.

"Mac users are often told they are safer by default, but social engineering and malvertising remain highly effective delivery mechanisms," said Bogdan Botezatu, Senior Director of Threat Research and Reporting at Bitdefender.