Mac customers looking for well-liked software program like 7-Zip, Notepad++, LibreOffice and Last Lower Professional might unknowingly land in the course of an lively malvertising marketing campaign powered by hijacked Google advertiser accounts.
Bitdefender Labs researcher Ionut Baltariu has found that compromised Google Adverts accounts are presently distributing malicious advertisements impersonating well-known software program instruments. The advertisements seem when customers seek for reputable merchandise and redirect victims to shared Evernote pages containing a harmful Terminal command.
Hijacked Google Advertiser Accounts Push Faux Software program
Our investigation recognized a minimum of 35 hijacked Google advertiser accounts originating from nations together with the US, Canada, Italy, Poland, Brazil, India, Saudi Arabia, Japan, China, Romania, Malta, Slovenia, Germany, the UK, and the United Arab Emirates.
Throughout these accounts, we noticed greater than 200 malicious ads impersonating reputable macOS software program. Many of those accounts seem to have beforehand promoted solely unrelated providers, together with charities, legislation companies, business companies, journey companies, resorts, and different reputable industries, earlier than being repurposed to distribute malicious advertisements.
The geographic variety suggests these usually are not newly created faux advertiser profiles, however relatively compromised reputable enterprise accounts repurposed for malware distribution.
As a substitute of selling their unique providers, each accounts now run advertisements impersonating software program, together with:
- 7-Zip
- Notepad++
- The Unarchiver
- Homebrew
- LibreOffice
- Microsoft Workplace
- OBS Studio
- Last Lower Professional
- PopClip
- AppCleaner
- Rectangle
- PearCleaner
- and others
The advertisements are fastidiously configured to set off on searches for these actual merchandise. Anybody searching for a reputable obtain might unknowingly click on a malicious sponsored consequence as a substitute.
The Supply Chain Defined
As a substitute of linking on to a faux obtain website, the advertisements redirect customers to shared Evernote notes. All notes are hosted beneath the identical Evernote account and comprise practically similar content material:
- Directions to open Terminal
- A Base64-encoded command
- Instructions to stick and execute it
- Product descriptions to make the web page look reputable
The web page design mimics a tutorial-style set up information. It explains tips on how to “set up” the software program through Terminal and claims to supply excessive compression ratios or superior options (relying on the product impersonated).
Nevertheless, the command is malicious, decoding and executing a payload straight onto the person’s machine. This system bypasses conventional obtain expectations by tricking customers into manually executing malware themselves.
The Payload: A Newer Variant of MacSync
The MacSync payload v1.1.2_release (construct tag: “symbiot”), delivered on this marketing campaign seems to be a refined model of the MacSync Stealer (v1.0.8), a part of the broader ClickFix ecosystem we’ve beforehand analyzed in November 2025.
MacSync variants are designed to ascertain persistence, gather system data, and keep distant entry. Like many fashionable macOS threats, they rely much less on exploiting technical vulnerabilities and extra on tricking customers into executing malicious instructions themselves.
As soon as a sufferer pastes and executes the encoded Terminal command, the an infection unfolds. MacSync Stealer is concentrated on account takeovers and monetary theft, aggressively trying to find crypto wallets, browser-based crypto extensions and password managers.
The malware can:
- Exfiltrate information and paperwork from the system
- Show a faux macOS password immediate to reap credentials
- Steal browser cookies, login databases, and put in extensions
- Accumulate Telegram knowledge, macOS Notes content material, and crypto pockets data
A number of points make this operation stand out:
Risk Actors Abuse Official Platforms
- Hijacked Google Adverts accounts
- Google’s advert supply community
- Evernote’s sharing infrastructure
Broad Model Impersonation
This isn’t restricted to a single model. The risk actors are impersonating a variety of trusted developer instruments and productiveness software program to develop the attain and potential sufferer pool.
Constant Infrastructure
All malicious Evernote notes share the identical construction and are distributed by the identical account, suggesting central coordination. Using similar payload directions throughout a number of “merchandise” confirms a single risk actor or group behind the marketing campaign.
This marketing campaign additionally follows a broader pattern the place well-liked and trusted utilities are being weaponized in malvertising and impersonation schemes.
Indicators Recommend Cross-Platform Marketing campaign Overlap
Evaluation of this pattern reveals it’s labeled as MacSync v1.1.2_release (construct tag: “symbiot”), indicating an advanced construct past earlier documented variants.
Notably, the stealer makes use of the identical API key construction noticed within the beforehand documented ClickFix marketing campaign, which abused Meta advertisements to distribute faux TradingView and Sora installers.
The reuse of this API key mixed with overlapping infrastructure patterns strongly means that these malvertising operations usually are not remoted incidents.
As a substitute, they look like a part of a broader, coordinated ecosystem focusing on customers throughout Google and Meta Adverts on each Windws and macOs environments.
In different phrases, the identical risk actor (or tightly linked group) could also be working parallel campaigns throughout promoting platforms, adapting lures whereas reusing backend infrastructure.
How Can Mac Customers Keep Protected
Mac customers are sometimes informed they’re safer by default, however campaigns like this counsel in any other case.
Right here’s what truly helps preserve your system and knowledge protected:
By no means execute Terminal instructions from an internet site.
If a software program installer requires you to stick an extended encoded command into Terminal, cease instantly. Official software program suppliers distribute signed apps and never Base64 blobs.
Keep away from clicking sponsored search outcomes for software program downloads.
Scroll previous advertisements and go on to the official developer’s area. Malvertising campaigns thrive on customers trusting the highest consequence.
Verify suspicious hyperlinks earlier than clicking.
For those who’re not sure a couple of obtain web page, run the URL by way of Bitdefender Hyperlink Checker. It could possibly rapidly flag malicious or suspicious domains earlier than you work together with them.
Let AI struggle AI.
Scammers more and more depend on automation and advert platform abuse. Instruments like Bitdefender Scamio will help you analyze suspicious messages, pages, or presents and inform you if one thing doesn’t look proper.
Confirm the distribution channel.
Official software program is not going to use shared Evernote pages as a go-to obtain hub.
Shield your Mac with layered safety.
A good safety resolution can detect malicious scripts, block suspicious exercise, and cease persistence makes an attempt earlier than they escalate.
Assume search advertisements might be malicious.
Malvertising has turn into one of the vital efficient malware supply mechanisms on each Home windows and macOS.
A Word for Very Small Companies
Many malvertising campaigns don’t begin with giant firms. They begin with compromised small enterprise accounts. As soon as attackers steal login credentials or session cookies, they will take over advert accounts and use them to run malicious advertisements at scale.
For very small companies with no devoted IT staff, this will really feel overwhelming. The fact is that you simply don’t want in-house safety workers to guard your programs. Options like Bitdefender Final Small Enterprise Safety are designed particularly for small groups, providing superior malware safety, phishing protection, and account takeover prevention with out advanced setup or administration.
For those who’re working advertisements, managing consumer accounts, or storing fee data, securing your gadgets and credentials is crucial. Bitdefender additionally presents a 30-day free trial, permitting small companies to check enterprise-grade safety with no long-term dedication.
We’ll proceed monitoring this marketing campaign and replace our findings as extra infrastructure is recognized.
For those who’ve encountered suspicious advertisements impersonating software program downloads, report them instantly and keep away from interacting with linked content material.
