![]()
A sponsored ad on X just became the latest proof that platform ad review systems are still nowhere near airtight. Jamf Threat Labs recently uncovered a malicious promoted post on X that impersonated DynamicLake, a legitimate macOS app that brings iPhone-style Dynamic Island functionality to the Mac. The ad didn’t come from some throwaway bot account either. It ran through a verified account with a fairly large following, which is exactly what made it so believable and so dangerous.
I’ve been following ClickFix-style attacks for a while now, and honestly, this one stands out because of where it landed. Malicious ads on Google Search are almost expected at this point. Seeing the same playbook slip past X’s ad review process, running under a trusted verified badge, is a different level of concerning.
How the Malicious X Ad Actually Worked
The ad looked convincing enough to fool anyone searching for DynamicLake. Clicking it redirected victims to dynamicmacisland[.]com, a lookalike domain with zero connection to the real app. Once there, the page instructed visitors to open Terminal and paste in installation code to complete the setup.
That single instruction is the entire trick. Legitimate, signed, and notarized Mac apps never ask you to open Terminal and paste code to install them. Jamf identified this as a classic ClickFix social engineering attack, a technique that has exploded in popularity because it doesn’t rely on exploiting a technical vulnerability. It just relies on convincing a human to run the malicious command themselves.
What most articles missed is that this isn’t a new payload built from scratch. Jamf traced the payload to a recent variant of Atomic Stealer, which it now tracks under the name MacSync. There were also cases involving a separate stealer called DigitStealer tied to the same DynamicLake impersonation campaign. In my opinion, that overlap says a lot about how commoditized Mac malware distribution has become. The same infostealer kits keep getting reused across completely different delivery channels, from Google Ads to YouTube videos to now sponsored posts on X.
The Real Dynamic Lake Developer Got Caught in the Middle
Here’s the part of the story that genuinely got me. The actual developer behind DynamicLake has been fighting fake clones of their app for a while now, and the fakes have gotten so widespread that they reached out to 9to5Mac directly to issue a public statement. They apologized to anyone who tried to install the real app but ended up with malware instead, saying they never imagined someone would abuse the brand this aggressively.
That’s a rough position to be in as an independent developer. You build something people want, and criminals turn your own product’s popularity into bait. If you’re looking to try DynamicLake yourself, the only safe path is going directly through the developer’s official site, never through a search result or a sponsored post, no matter how legitimate it looks.
Why a Verified Account Made This Attack More Effective
According to the investigation, the owner of the verified account that ran the ad didn’t set out to spread malware at all. By all appearances, they trusted the ad and approved it for their account, having no idea it actually led to a malicious domain. This is one of those things I genuinely got excited about the moment I saw it explained, not because it’s a good outcome, but because it reveals a blind spot most people don’t think about.
X’s ad system allows accounts to approve promoted content tied to their profile, and verification status adds a layer of implicit trust that most users don’t question. Sources suggest this kind of account-level trust exploitation is becoming more common precisely because platforms built verification as a signal of legitimacy, not as a guarantee that every piece of promoted content tied to that account has been vetted.
Apple’s Own Defenses Are Part of Why Attackers Adapted
The more I looked into this, the more it became clear that this specific campaign fits into a much bigger pattern happening across the entire Mac malware ecosystem. Apple introduced a security feature in macOS 26.4 that scans commands pasted into Terminal before they execute, specifically to blunt ClickFix-style attacks. Jamf has separately documented attackers responding to that update by shifting execution away from Terminal entirely and toward Script Editor instead, using the applescript:// URL scheme to bypass the new protection.
Microsoft’s security research team has also been tracking this shift closely, noting that infostealer campaigns targeting macOS have expanded significantly since late 2025. Their researchers identified three major Mac-focused stealer families circulating right now, DigitStealer, MacSync, and Atomic Stealer, all harvesting the same categories of data: browser credentials, saved passwords, cryptocurrency wallet information, and developer secrets like SSH keys and cloud tokens.
I didn’t expect this angle when I started researching, and that’s exactly why it matters. This isn’t really a story about one bad ad. It’s a story about how quickly attackers pivot the moment a platform or an operating system closes one door.
What Happens After the Data Gets Stolen
Once Atomic Stealer or MacSync grabs your credentials, the damage doesn’t stop at your Mac. Stolen browser passwords and session cookies get funneled into account takeover attempts across banking, email, and cloud services. Industry insiders hint that harvested developer secrets, including AWS credentials and Kubernetes configs, are increasingly valuable on underground markets because they open doors into corporate infrastructure, not just personal accounts.
If the current trajectory holds, expect more of these campaigns to specifically target verified or high follower accounts on X going forward, since a single compromised ad approval can reach a massive audience before anyone flags it.
How Jamf Got the Ad Taken Down
To X’s credit, once Jamf Threat Labs reported the malicious ad, it was removed fairly quickly. That’s a reasonable response time, but it still means the ad was live and actively distributing malware before anyone caught it. Relying on third-party security researchers to catch malicious ads after the fact isn’t a sustainable long-term defense, especially as X continues expanding its advertising platform to attract more advertisers back to the site.
The bigger question researchers keep raising is whether ad review systems across major platforms can realistically keep pace with how fast these campaigns evolve. Attackers only need one successful click to install a stealer. Platforms need to catch every single malicious submission before it ever goes live, and that’s an incredibly difficult standard to meet.
How to Protect Yourself From ClickFix Style X Malware Ads
A few habits genuinely make a difference here. Never paste code into Terminal or Script Editor because an ad or website told you to, even if the page looks polished and official. Legitimate app installations never require this step. Always download software directly from the developer’s verified domain rather than clicking through a sponsored post, and double-check the URL carefully before trusting it.
Having used similar detection tools before, I’d also recommend keeping endpoint protection active on macOS specifically, since Mac malware is no longer the rarity it used to be. The assumption that Macs don’t get targeted is exactly the mindset attackers are counting on.
This incident is a solid reminder that verification badges and sponsored placement aren’t the same thing as safety. Both DynamicLake’s real developer and the account owner who unknowingly promoted the fake version were victims here too, caught in a scheme that exploited the trust built into X’s own platform. Until ad review processes catch up with how fast these campaigns move, the safest move is still treating every sponsored install prompt with real suspicion, no matter how convincing the badge next to the account name looks.