A Sponsored Ad on X Spreads Mac Malware Exploiting the Name of the App DynamicLake
Jamf Threat Labs, the cybersecurity research division of Jamf, has identified a new malicious campaign exploiting a sponsored ad published on the platform X. The ad promoted a fraudulent site presenting itself as the official page of DynamicLake, a well-known macOS application that transforms the MacBook's notch into a functioning version of the Dynamic Island.
According to the researchers' analysis, the link present in the ad redirected users to a domain very similar to the authentic one, but completely unrelated to the original software developers. Once the page was opened, visitors were prompted to launch the macOS Terminal and paste some commands to proceed with a supposed installation. In reality, this process allowed for the silent installation of malware, following the typical method of social engineering attacks known as ClickFix. Jamf emphasizes that legitimate applications signed and certified by Apple never require such manual operations via the Terminal.
The company has identified the malicious software as a recent variant of Atomic Stealer, monitored internally under the name MacSync. In some cases, samples related to DigitStealer have also been detected.
Additional Elements to Know About This Malware Spread on X
A particularly relevant point concerns the origin of the ad. The advertisement was indeed associated with a verified and well-known account, a circumstance that made the content more credible in the eyes of users. According to reports, the profile owner would have authorized the publication of the ad considering it legitimate, without knowing that the link led to a harmful site.
Jamf highlights how the real issue is that the ad passed through X's advertising system checks, reaching users regularly. Researchers speculate that the counterfeit domain and the redirect system were used specifically to circumvent automatic verification mechanisms.
This incident recalls other similar cases that have occurred in recent years, when Google Ads had also approved ads promoting malicious sites, including fake Homebrew downloads targeted at Mac users. The developer of DynamicLake expressed regret over the incident, explaining that they have long been fighting against fraudulent copies of the application. They urged users to download the program exclusively from the official site DynamicLake.com, where purchases are managed through Gumroad. After Jamf Threat Labs' report, X promptly removed the incriminating ad.