Find notable cyber news and cases, enriched with sources, timelines, and signals.

MacSync infostealer Terminal loader delivery on macOS

Malware Activity
First reported
Last updated
Happening score
H score 25
1 unique sources, 1 articles

Summary

Hide ▲

A MacSync infostealer loader is being delivered through a Terminal command on macOS, creating immediate risk of keychain, browser data, and crypto wallet theft. The payload then exfiltrates stolen material to a2abotnet[.]com/gate, making the infection chain a live credential-theft operation.

Related Happenings

Atomic Stealer macOS Script Editor ClickFix campaign

Campaign
H score42 First: 08.04.2026 21:55 Last: 08.04.2026 21:55 Sources 1

About this happening: A **new Atomic Stealer (AMOS)** campaign is targeting **macOS users** through **fake Apple-themed cleanup sites**, creating a lower-friction path to malware installation and data...

GhostLoader RAT-stealer via @openclaw-ai/openclawai

Malware Activity
H score30 First: 09.03.2026 20:31 Last: 09.03.2026 20:31 Sources 1

About this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
H score28 First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

Atomic MacOS Stealer (AMOS) distribution through AI-app lures, SEO poisoning, and supply-chain abuse

Malware Activity
H score31 First: 12.02.2026 16:25 Last: 12.02.2026 16:25 Sources 1

About this happening: **Atomic MacOS Stealer (AMOS)** is being distributed to **macOS users** through **ClickFix-style Terminal prompts** that silently **download, mount, and launch DMG payloads**. In...

MacOS infostealer campaign using fake ads and ClickFix lures

Campaign
H score41 First: 04.02.2026 09:42 Last: 04.02.2026 09:42 Sources 1

How related: Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries.

About this happening: **macOS users** are being targeted in a **ClickFix** campaign that abuses **Google search ads** to steer people into poisoned **ChatGPT** and **Grok** conversations. The lure uses...

Timeline

  1. 13.02.2026 22:21 2 articles · 4mo ago

    Researchers disclose Claude-artifact ClickFix campaign pushing MacSync

    Initial Disclosure

    Researchers at MacPaw's Moonlock Lab and AdGuard identified malicious Google Search results for queries such as “online DNS resolver,” “macOS CLI disk space analyzer,” and “HomeBrew” that pointed to either a public Claude artifact or a Medium page impersonating Apple Support. The lure pages instruct macOS users to paste a shell command into Terminal, and the command fetches a MacSync infostealer loader that steals keychain, browser data, and crypto wallets before packaging the data into /tmp/osalogging.zip and exfiltrating it to a2abotnet[.]com/gate. The malicious Claude guide had reached at least 15,600 views, while more than 10,000 users had accessed content with dangerous instructions, and both observed variants fetched a second stage from the same C2 address.

    Show sources