Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware

What happened

An active malvertising campaign is abusing Google sponsored search results and Claude.ai’s shared chat feature to deliver macOS infostealer malware to users searching for Claude downloads on Mac. The campaign was identified by security engineer Berk Albayrak and independently verified by BleepingComputer, which found a second variant using separate infrastructure but an identical social engineering approach.

The attack exploits a design characteristic that makes it particularly difficult to detect: the destination URL in the Google ad is genuine, pointing to claude.ai rather than a lookalike domain. Attackers create publicly accessible shared Claude chats that present themselves as official Claude Code installation guides attributed to Apple Support, then promote these chats through sponsored search results. Victims who follow the instructions are walked through opening Terminal and pasting a command that downloads and executes malware.

BleepingComputer identified two separate variants. The first, found by Albayrak, harvests browser credentials, cookies, and macOS Keychain contents and exfiltrates them to the attacker’s server, identified as a variant of the MacSync macOS infostealer. The second variant, found by BleepingComputer, first checks the victim’s keyboard locale and silently exits on machines configured with Russian or CIS-region input sources, then profiles the victim by collecting external IP address, hostname, OS version, and keyboard locale before delivering a second-stage payload executed through osascript, macOS’s built-in scripting engine, without dropping a traditional binary. The server delivers a uniquely obfuscated version of the payload on each request through polymorphic delivery, complicating hash-based detection. BleepingComputer reached out to Anthropic and Google before publication.

Who is affected

macOS users searching for Claude downloads through Google are the primary targets. The geographic filtering in one variant, which skips CIS-region machines, suggests selective targeting of Western users. Organizations where employees use Claude on Mac devices face indirect risk if corporate credentials or session tokens are stored in browser profiles or macOS Keychain on affected machines.

Why CISOs should care

This campaign eliminates the primary indicator users are trained to check: the domain in the ad. Both attacks point to the real claude.ai domain because the malicious content is hosted inside Claude’s own shared chat feature. Standard advice to verify the destination URL before clicking provides no protection here. The use of shared AI platform chats as malware delivery infrastructure has now been documented across Claude, ChatGPT, and Grok, establishing this as a recurring and maturing attack pattern rather than a one-off novelty.

The osascript execution method in one variant is also notable for avoiding the binary drops that most macOS endpoint security tools are tuned to detect.

3 practical actions

1. Brief Mac users on the shared AI chat lure pattern explicitly: Standard phishing training that focuses on domain verification does not address this attack. Train employees to treat any AI chat that instructs them to paste Terminal commands as a high-confidence malware lure, regardless of how official the chat appears or what domain hosts it.
2. Enforce application control policies that restrict osascript execution in non-administrative contexts: One variant executes entirely through osascript without dropping a binary, bypassing file-based detection. macOS endpoint management policies that restrict or alert on osascript execution from user-initiated shell sessions provide a detection surface for this delivery method.
3. Direct employees to official Anthropic documentation for all Claude tool downloads: The legitimate Claude Code CLI is available through Anthropic’s official documentation and does not require pasting commands from any chat interface. Establish clear organizational guidance that all AI tool installations follow verified official sources only, and that any installation instruction encountered through a search result or shared chat should be verified against the official documentation before execution.

Also in the news today:

• ShinyHunters Defaces Canvas Login Portals at 330 Schools in Escalating Extortion Campaign
• Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware
• JDownloader Website Hacked to Replace Installers With Python RAT Malware
• German Police Shut Down Crimenetwork Reboot, Arrest Administrator in Spain
• GM to Pay $12.75 Million in California Privacy Settlement Over Driver Data Sales
• Škoda Online Shop Security Incident Exposes Customer Data