Malware, Security Operations

Malicious Google Ads lead Mac users to terminal command scams

MacOS logo (Mac OS X), an operating system developed by Apple Inc., displayed on a MacBook Pro screen

As outlined in HackRead, researchers at MacKeeper have uncovered a sophisticated phishing campaign utilizing malicious Google Ads to target Mac users searching for system cleaning tools. The scheme redirects unsuspecting individuals to fake Apple support pages, ultimately tricking them into executing dangerous commands via the macOS Terminal.

The campaign, discovered on January 26, 2026, involved sponsored Google search results for "mac cleaner" utilities. These ads led to convincing replicas of Apple's official support site, hosted on Google-owned services like docs.google.com, to enhance legitimacy. Users were presented with a fake guide to free up disk space, which instructed them to copy and paste an obfuscated Base64 encoded command into their Terminal. Upon execution, this command downloads and runs a script with full user permissions, enabling attackers to gain remote control of the Mac. This allows for the theft of sensitive files, extraction of SSH keys, deployment of further malware, or cryptomining.

The attackers appear to be compromising legitimate, Google-verified advertiser accounts, including one registered to an individual named Nathaniel Josue Rodriguez and another associated with the Aloha Shirt Shop. This tactic bypasses Google's security checks by leveraging the established reputation of existing accounts. MacKeeper has reported these malicious ads to Google for removal, highlighting the ongoing challenge of securing online advertising platforms against sophisticated threat actors.

Source: HackRead

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds