
Malware disguised as popular apps or software is not a new trick in the book, yet such incidents keep recurring. Today, we’re coming across one more case. Jamf Threat Labs reports finding a ClickFix-style malware running as sponsored ads on X. What’s surprising is that the ad came from a verified account and pushed a malicious domain disguised as a popular Mac app.
Malicious sponsored ads on X are tricking users into installing malware
The ad was posing as DynamicLake, which is a genuine Mac utility that turns a MacBook’s notch into a fully working Dynamic Island. It’s understandable how someone could fall for something like this. Jamf’s investigation found that the original link redirects to dynamicisland.com. This is a malicious lookalike domain that’s not related to the actual app.
Once a user visits the website, it instructs them to open Terminal and paste a code that would silently install malware on the victim’s Mac. This technique commonly appears in ClickFix attacks. It goes without saying that legitimate apps will never ask users to do anything like this. Jamf identified the payload as a recent Atomic Stealer variant, which it tracks as MacSync. There have also been cases of DigitStealer identified in similar attacks.
The ad reportedly came from a verified account with a large following, making this more concerning. It appears that the account holder trusted it and approved it for their account, believing that it was real. It looks like they didn’t know that it led to a malicious domain.

The developer has been fighting malicious clones for some time
While that’s one thing, X approving the ad and pushing it out as a promoted post is also concerning. The ad passed through X’s review system and still reached users. The lookalike domain and single redirect were likely used to slip X’s automated security checks, and it worked. This is not the first time, though. In recent years, Google Ads has also approved many harmful domains and promoted them at the top of Google Search.
While this might be the first instance we’ve seen of malware promoted through ads on X, the developer of the original DynamicLake has apparently been fighting malicious clones for some time. In a statement to 9to5Mac, they said, “I’m working hard to fight these fake copies, but unfortunately new ones keep appearing every few months. I won’t give up protecting the project and the community.”
The ad was taken down
The developer says users can contact them directly for any help or if they are unsure whether they downloaded the legitimate app. They also urged users to download DynamicLake only from the official website. As for the ad itself, Jamf Threat Labs reported the ad to X, which reportedly took it down quickly.

The post Malware Is Spreading Through Sponsored Ads on X — and It Came From a Verified Account appeared first on Android Headlines.