MacSync infostealer Terminal loader delivery on macOS
Malware Activity
Summary
Hide ▲
Show ▼
A MacSync infostealer loader is being delivered through a Terminal command on macOS, creating immediate risk of keychain, browser data, and crypto wallet theft. The payload then exfiltrates stolen material to a2abotnet[.]com/gate, making the infection chain a live credential-theft operation.
Related Happenings
Atomic Stealer macOS Script Editor ClickFix campaign
Campaign
First: 08.04.2026 21:55
Last: 08.04.2026 21:55
Sources 1
About this happening:
A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
Atomic Stealer macOS Script Editor ClickFix campaign
CampaignAbout this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...
GhostLoader RAT-stealer via @openclaw-ai/openclawai
Malware Activity
First: 09.03.2026 20:31
Last: 09.03.2026 20:31
Sources 1
About this happening:
A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...
GhostLoader RAT-stealer via @openclaw-ai/openclawai
Malware ActivityAbout this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware Activity
First: 12.02.2026 16:25
Last: 12.02.2026 16:25
Sources 1
About this happening:
**Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse
Malware ActivityAbout this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through multiple delivery paths, including **fraudulent GitHub repositories**, **SEO poisoning**, **malvert...
MacOS infostealer campaign using fake ads and ClickFix lures
Campaign
First: 04.02.2026 09:42
Last: 04.02.2026 09:42
Sources 1
How related:
Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries.
About this happening:
**macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
MacOS infostealer campaign using fake ads and ClickFix lures
CampaignHow related: Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries.
About this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...
Timeline
-
13.02.2026 22:21 2 articles · 3mo ago
Researchers disclose Claude-artifact ClickFix campaign pushing MacSync
Initial DisclosureResearchers at MacPaw's Moonlock Lab and AdGuard identified malicious Google Search results for queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew” that pointed to either a public Claude artifact or a Medium page impersonating Apple Support. The lure pages instruct macOS users to paste a shell command into Terminal, and the command fetches a MacSync infostealer loader that steals keychain, browser data, and crypto wallets before packaging the data into /tmp/osalogging.zip and exfiltrating it to a2abotnet[.]com/gate. The malicious Claude guide had reached at least 15,600 views, while more than 10,000 users had accessed content with dangerous instructions, and both observed variants fetched a second stage from the same C2 address.
Show sources
- Claude LLM artifacts abused to push Mac infostealers in ClickFix attack — www.bleepingcomputer.com — 13.02.2026 22:21
- Claude LLM artifacts abused to push Mac infostealers in ClickFix attack — www.bleepingcomputer.com — 13.02.2026 22:21