EXECUTIVE SUMMARY
Threat actors are abusing Google Search Ads and compromised advertiser accounts to lure macOS users to Apple-lookalike pages that trick them into executing malicious Terminal commands. The campaign results in silent remote code execution, enabling full system compromise including data theft, backdoors, and persistent malware installation.
- Active Region: Global
- Affected Sector: macOS user endpoints in consumer and SMB environments
- Affected Product: macOS (via Google Search Ads / Google Apps Script abuse)
- Severity: High
- Published Date: January 29, 2026
TECHNICAL DETAILS
- Target: MacOS end-user systems, specifically user-operated endpoints where individuals perform routine system maintenance tasks and have sufficient privileges to execute shell commands via the Terminal, enabling attacker-controlled code execution under the user’s context.
- Root Cause: Exploitation of user trust in Google Search Ads and Apple-branded interfaces, combined with social-engineering techniques that trick users into executing obfuscated shell commands, leading to remote code execution.
- Prerequisite For Exploitation: The victim must interact with a malicious sponsored……
