The topic Malware found spreading through sponsored ads on X is currently the subject of lively discussion — readers and analysts are keeping a close eye on developments.
This is taking place in a dynamic environment: companies’ decisions and competitors’ reactions can quickly change the picture.
Jamf Threat Labs, the company’s security research arm, recently shared details of a ClickFix-style attack it spotted running as a sponsored ad on the social media site X. Originating from a well-known verified account, it promoted a malicious domain under the guise of a popular Mac app.
The ad in question was posing as DynamicLake, a legitimate Mac utility that turns your MacBook’s notch into an unofficial but fully working Dynamic Island.
But per Jamf’s investigation, the original link seen above redirects to dynamicmacisland[.]com, a malicious lookalike domain with no ties to the actual app.
Once there, visitors were instructed to open Terminal and paste installation code that would quietly install malware on the victim’s Mac. This is a classic technique that defines ClickFix social engineering attacks.
Legitimate apps, which are signed and notiorized by Apple, will never ask you to do this.
Jamf identified the payload as a recent Atomic Stealer variant, which it tracks as MacSync. There have also been cases of DigitStealer identified in this attack too.

The ad came from a verified account with a fairly large following, which makes this all the more interesting and more dangerous. I’ve chosen to keep the account name anonymous to protect the owner’s identity, because they didn’t set out to spread malware.
By all appearances, the owner trusted the ad and approved it for their account, believing it was legitimate, with no idea it led to a malicious domain. A verified badge and a familiar name lend a level of trust a random account never could.
Trust is the basic foundation of any good social engineering attack too.
The account owner getting fooled is one thing. X approving the ad and pushing it out as a promoted post is another.
This ran through X’s ad system, checks and all, and still reached users. The lookalike domain and single redirect were almost certainly there to help slip past any of X’s automated scans. And it worked…
This should give you déjà vu many times over. In recent years, we’ve seen Google Ads approve an exorbitant number of malicious domains that were promoted at the top of Google Search. One case last year involved the promotion of fake Homebrew listings in search results that distributed malware to Mac users.
9to5Mac reached out to X for comment and didn’t immediately hear back.

While this is the first instance we’ve seen of malware promoted through ads on X, the developer of the real DynamicLake has been fighting malicious clones for a while now.
The fakes have become so widespread that they reached out to 9to5Mac directly and asked to share a statement in this piece:
I’m truly sorry to anyone who wanted to install DynamicLake but ended up downloading this malware instead. DynamicLake is simply an app that brings the Dynamic Island for Mac, and I never imagined someone would abuse the brand this way.
I’m working hard to fight these fake copies, but unfortunately new ones keep appearing every few months. I won’t give up protecting the project and the community.
If you need any help or aren’t sure whether you downloaded the legitimate app, feel free to reach out to me. Please make sure you download DynamicLake only from DynamicLake.com, where purchases are securely handled through Gumroad.
Thank you for your support, and again, I’m sorry for the inconvenience.
Jamf Threat Labs reported the ad to X and it was removed fairly quickly.
Is X doing enough to keep malicious ads off the platform, or is this an impossible battle to win? Let me know your thoughts in the comments.
Get more from Arin Waichulis in the 9to5Mac Security Bite weekly-column and bi-weekly podcast.