Mac customers looking for common software program like 7-Zip, Notepad++, LibreOffice and Remaining Lower Professional could unknowingly land in the midst of an lively malvertising marketing campaign powered by hijacked Google advertiser accounts.
Bitdefender Labs researcher Ionut Baltariu has found that compromised Google Adverts accounts are presently distributing malicious advertisements impersonating well-known software program instruments. The advertisements seem when customers seek for reliable merchandise and redirect victims to shared Evernote pages containing a harmful Terminal command.
Hijacked Google Advertiser Accounts Push Pretend Software program
Our investigation recognized not less than 35 hijacked Google advertiser accounts originating from international locations together with the USA, Canada, Italy, Poland, Brazil, India, Saudi Arabia, Japan, China, Romania, Malta, Slovenia, Germany, the UK, and the United Arab Emirates.
Throughout these accounts, we noticed greater than 200 malicious ads impersonating reliable macOS software program. Many of those accounts seem to have beforehand promoted totally unrelated providers, together with charities, regulation corporations, business companies, journey companies, accommodations, and different reliable industries, earlier than being repurposed to distribute malicious advertisements.
The geographic variety suggests these should not newly created faux advertiser profiles, however reasonably compromised reliable enterprise accounts repurposed for malware distribution.
As an alternative of selling their unique providers, each accounts now run advertisements impersonating software program, together with:
- 7-Zip
- Notepad++
- The Unarchiver
- Homebrew
- LibreOffice
- Microsoft Workplace
- OBS Studio
- Remaining Lower Professional
- PopClip
- AppCleaner
- Rectangle
- PearCleaner
- and others
The advertisements are rigorously configured to set off on searches for these actual merchandise. Anybody in search of a reliable obtain could unknowingly click on a malicious sponsored consequence as an alternative.
The Supply Chain Defined
As an alternative of linking on to a faux obtain web site, the advertisements redirect customers to shared Evernote notes. All notes are hosted beneath the identical Evernote account and include practically equivalent content material:
- Directions to open Terminal
- A Base64-encoded command
- Instructions to stick and execute it
- Product descriptions to make the web page look reliable
The web page design mimics a tutorial-style set up information. It explains learn how to “set up” the software program through Terminal and claims to offer excessive compression ratios or superior options (relying on the product impersonated).
Nonetheless, the command is malicious, decoding and executing a payload immediately onto the consumer’s machine. This system bypasses conventional obtain expectations by tricking customers into manually executing malware themselves.
The Payload: A Newer Variant of MacSync
The MacSync payload v1.1.2_release (construct tag: “symbiot”), delivered on this marketing campaign seems to be a refined model of the MacSync Stealer (v1.0.8), a part of the broader ClickFix ecosystem we’ve beforehand analyzed in November 2025.
MacSync variants are designed to determine persistence, gather system data, and keep distant entry. Like many trendy macOS threats, they rely much less on exploiting technical vulnerabilities and extra on tricking customers into executing malicious instructions themselves.
As soon as a sufferer pastes and executes the encoded Terminal command, the an infection unfolds. MacSync Stealer is concentrated on account takeovers and monetary theft, aggressively looking for crypto wallets, browser-based crypto extensions and password managers.
The malware can:
- Exfiltrate recordsdata and paperwork from the system
- Show a faux macOS password immediate to reap credentials
- Steal browser cookies, login databases, and put in extensions
- Acquire Telegram knowledge, macOS Notes content material, and crypto pockets data
A number of elements make this operation stand out:
Menace Actors Abuse Professional Platforms
- Hijacked Google Adverts accounts
- Google’s advert supply community
- Evernote’s sharing infrastructure
Broad Model Impersonation
This isn’t restricted to a single model. The menace actors are impersonating a variety of trusted developer instruments and productiveness software program to develop the attain and potential sufferer pool.
Constant Infrastructure
All malicious Evernote notes share the identical construction and are distributed by the identical account, suggesting central coordination. Using equivalent payload directions throughout a number of “merchandise” confirms a single menace actor or group behind the marketing campaign.
This marketing campaign additionally follows a broader development the place common and trusted utilities are being weaponized in malvertising and impersonation schemes.
Indicators Recommend Cross-Platform Marketing campaign Overlap
Evaluation of this pattern exhibits it’s labeled as MacSync v1.1.2_release (construct tag: “symbiot”), indicating an advanced construct past earlier documented variants.
Notably, the stealer makes use of the identical API key construction noticed within the beforehand documented ClickFix marketing campaign, which abused Meta advertisements to distribute faux TradingView and Sora installers.
The reuse of this API key mixed with overlapping infrastructure patterns strongly means that these malvertising operations should not remoted incidents.
As an alternative, they look like a part of a broader, coordinated ecosystem focusing on customers throughout Google and Meta Adverts on each Windws and macOs environments.
In different phrases, the identical menace actor (or tightly linked group) could also be working parallel campaigns throughout promoting platforms, adapting lures whereas reusing backend infrastructure.
How Can Mac Customers Keep Protected
Mac customers are sometimes advised they’re safer by default, however campaigns like this counsel in any other case.
Right here’s what truly helps hold your machine and knowledge protected:
By no means execute Terminal instructions from an internet site.
If a software program installer requires you to stick a protracted encoded command into Terminal, cease instantly. Professional software program suppliers distribute signed apps and never Base64 blobs.
Keep away from clicking sponsored search outcomes for software program downloads.
Scroll previous advertisements and go on to the official developer’s area. Malvertising campaigns thrive on customers trusting the highest consequence.
Verify suspicious hyperlinks earlier than clicking.
When you’re uncertain a few obtain web page, run the URL by means of Bitdefender Hyperlink Checker. It may possibly rapidly flag malicious or suspicious domains earlier than you work together with them.
Let AI combat AI.
Scammers more and more depend on automation and advert platform abuse. Instruments like Bitdefender Scamio might help you analyze suspicious messages, pages, or affords and inform you if one thing doesn’t look proper.
Confirm the distribution channel.
Professional software program is not going to use shared Evernote pages as a go-to obtain hub.
Shield your Mac with layered safety.
A good safety resolution can detect malicious scripts, block suspicious exercise, and cease persistence makes an attempt earlier than they escalate.
Assume search advertisements may be malicious.
Malvertising has grow to be some of the efficient malware supply mechanisms on each Home windows and macOS.
A Word for Very Small Companies
Many malvertising campaigns don’t begin with massive companies. They begin with compromised small enterprise accounts. As soon as attackers steal login credentials or session cookies, they will take over advert accounts and use them to run malicious advertisements at scale.
For very small companies and not using a devoted IT group, this may really feel overwhelming. The truth is that you simply don’t want in-house safety workers to guard your techniques. Options like Bitdefender Final Small Enterprise Safety are designed particularly for small groups, providing superior malware safety, phishing protection, and account takeover prevention with out advanced setup or administration.
When you’re working advertisements, managing shopper accounts, or storing cost data, securing your gadgets and credentials is important. Bitdefender additionally affords a 30-day free trial, permitting small companies to check enterprise-grade safety and not using a long-term dedication.
We’ll proceed monitoring this marketing campaign and replace our findings as extra infrastructure is recognized.
When you’ve encountered suspicious advertisements impersonating software program downloads, report them instantly and keep away from interacting with linked content material.
