Updated
Updated · 9to5Mac · Jul 2
Jamf Finds X Sponsored Ad Spreading Atomic Stealer via Verified Account
Updated
Updated · 9to5Mac · Jul 2

Jamf Finds X Sponsored Ad Spreading Atomic Stealer via Verified Account

1 articles · Updated · 9to5Mac · Jul 2

Summary

  • Jamf Threat Labs found a sponsored post on X that redirected Mac users from a fake DynamicLake ad to a lookalike domain installing Atomic Stealer, also tracked as MacSync.
  • The attack used a ClickFix-style prompt telling visitors to open Terminal and paste code—a step legitimate Apple-notarized Mac apps do not require.
  • A verified account with a large following appears to have approved the ad believing it was legitimate, giving the malware campaign added credibility and reach.
  • X’s ad-review system still cleared the promoted post; Jamf said the lookalike domain and single redirect likely helped it evade automated scans before the ad was removed.
  • The incident is described as the first known malware ad on X and echoes earlier cases in Google Search ads, while the real DynamicLake developer said clones have resurfaced every few months.

Insights

When verified accounts and paid ads promote malware, is the entire online software market now untrustworthy?
As AI assistants gain deep system access, are they becoming the next major security backdoor on your Mac?
With ad fraud losses soaring past $100 billion, are social media platforms losing the war against cybercriminals?