Hackers Abuse Verified X Ads to Deliver Mac Malware Through ClickFix Attack
A trusted channels and verified profiles to amplify social-engineering campaigns, and a recent ClickFix-style operation on X (formerly Twitter) illustrates that risk. The ad redirected victims to a lo

A trusted channels and verified profiles to amplify social-engineering campaigns, and a recent ClickFix-style operation on X (formerly Twitter) illustrates that risk. The ad redirected victims to a lookalike domain, dynamicmacisland[.]com, and instructed them to open Terminal and paste a clipboard command an apparently small step that silently installed macOS malware, including variants of the […] The post Hackers Abuse Verified X Ads to Deliver Mac Malware Through ClickFix Attack appeared first on Cyber Security News.
A trusted channels and verified profiles to amplify social-engineering campaigns, and a recent ClickFix-style operation on X (formerly Twitter) illustrates that risk. The ad redirected victims to a lookalike domain, dynamicmacisland[.]com, and instructed them to open Terminal and paste a clipboard command an apparently small step that silently installed macOS malware, including variants of the Atomic Stealer infostealer. This attack combines three worrying trends. First, ClickFix-style social engineering continues to rely on user-driven installation: victims are persuaded to execute Terminal commands copied from the clipboard, effectively turning users into the installer. Second, attackers now impersonate popular Mac utilities using convincing lookalike domains and UI copy, increasing the chance of trust-based compliance. Third, they exploit paid advertising and verified account signals to scale reach and credibility, demonstrating that verification badges and sponsored placement are not reliable safety indicators. The malicious ad was reported to X and later removed after Jamf alerted the platform and the account owner, but the incident underscores how threat actors leverage advertising ecosystems to circumvent automated screening. The payloads reported in this campaign delivered several variants of Atomic Stealer, an information-stealing family observed previously on macOS. Verified X Ads to Deliver Mac Malware Jamf Threat Labs said in a report shared with Cyberpress, a sponsored advertisement posted from a verified X account that lured macOS users to a counterfeit download for DynamicLake, a legitimate utility that mimics Apple’s Dynamic Island. Atomic Stealer exfiltrates credentials, browser-stored data, and other sensitive artifacts that enable post-infection account takeover or follow-on fraud. The campaign mirrors earlier incidents where Google Ads and other advertising channels promoted fake installers that delivered malware examples that security teams have flagged as evidence advertisers’ vetting systems can be gamed or bypassed when attackers craft content to avoid detection. Parallel to the ClickFix macOS abuse, Windows and cloud users face a new, deceptively simple technique called ConsentFix. Unlike ClickFix, which persuades users to install code locally, ConsentFix manipulates browser behavior and OAuth flows so victims hand attackers valid session tokens without entering passwords or triggering multi-factor authentication. Typical ConsentFix chains begin with a seemingly benign link hosted on trusted services like Dropbox or guarded by a password to thwart automated scanners leading to a lookalike Microsoft sign-in experience. How the ConsentFix trap looks (Source : Malwarebytes). The victim is then instructed to drag a local callback link into the browser; that interaction completes an OAuth-style authorization and hands the attacker the tokens needed to access Microsoft 365 services. Security researchers and incident responders warn that ConsentFix can enable account takeover in seconds and has been shared on cybercrime forums, lowering the technical bar for wide misuse. Because victims do not type credentials or disable MFA, traditional security-awareness training and simple anti-phishing checks may not catch these flows. Defensive posture improvements are straightforward but essential. Security teams should tighten advertising and brand-monitoring controls, including proactive scanning for lookalike domains and shadow ads that use a brand’s keywords. Endpoint protections on macOS must be configured to detect suspicious post-install behaviors and known infostealers. For cloud accounts, conditional access policies that limit token lifetimes, require device or network context, and monitor for anomalous consent or token usage can blunt ConsentFix-style abuse. Finally, user education must evolve: warn users not to paste arbitrary Terminal commands, to question unusual browser drag-and-drop requests, and to treat sponsored or verified social posts skeptically. Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. The post Hackers Abuse Verified X Ads to Deliver Mac Malware Through ClickFix Attack appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


