As outlined in HackRead, researchers at MacKeeper have uncovered a sophisticated phishing campaign utilizing malicious Google Ads to target Mac users searching for system cleaning tools. The scheme redirects unsuspecting individuals to fake Apple support pages, ultimately tricking them into executing dangerous commands via the macOS Terminal.The campaign, discovered on January 26, 2026, involved sponsored Google search results for "mac cleaner" utilities. These ads led to convincing replicas of Apple's official support site, hosted on Google-owned services like docs.google.com, to enhance legitimacy. Users were presented with a fake guide to free up disk space, which instructed them to copy and paste an obfuscated Base64 encoded command into their Terminal. Upon execution, this command downloads and runs a script with full user permissions, enabling attackers to gain remote control of the Mac. This allows for the theft of sensitive files, extraction of SSH keys, deployment of further malware, or cryptomining.The attackers appear to be compromising legitimate, Google-verified advertiser accounts, including one registered to an individual named Nathaniel Josue Rodriguez and another associated with the Aloha Shirt Shop. This tactic bypasses Google's security checks by leveraging the established reputation of existing accounts. MacKeeper has reported these malicious ads to Google for removal, highlighting the ongoing challenge of securing online advertising platforms against sophisticated threat actors.Source: HackRead
Malware, Security Operations
Malicious Google Ads lead Mac users to terminal command scams

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



