Jamf Finds X Sponsored Ad Spreading Atomic Stealer via Verified Account
Updated
Updated · 9to5Mac · Jul 2
Jamf Finds X Sponsored Ad Spreading Atomic Stealer via Verified Account
1 articles · Updated · 9to5Mac · Jul 2
Summary
Jamf Threat Labs found a sponsored post on X that redirected Mac users from a fake DynamicLake ad to a lookalike domain installing Atomic Stealer, also tracked as MacSync.
The attack used a ClickFix-style prompt telling visitors to open Terminal and paste code—a step legitimate Apple-notarized Mac apps do not require.
A verified account with a large following appears to have approved the ad believing it was legitimate, giving the malware campaign added credibility and reach.
X’s ad-review system still cleared the promoted post; Jamf said the lookalike domain and single redirect likely helped it evade automated scans before the ad was removed.
The incident is described as the first known malware ad on X and echoes earlier cases in Google Search ads, while the real DynamicLake developer said clones have resurfaced every few months.