Ethical Hacking News
Hackers are exploiting malicious Google Ads and legitimate Claude.ai shared chats to push Mac malware, compromising the security of unsuspecting users. According to recent research by Ax Sharma, the attackers use social engineering tactics to trick users into downloading malware on their Macs. The campaign was spotted by Berk Albayrak, who warned BleepingComputer about it. To avoid falling prey to this malicious malvertising campaign, users are advised to navigate directly to claude.ai for downloading the native Claude app and to be cautious of any instructions asking them to paste terminal commands from unknown sources.
A malicious malvertising campaign targeting macOS users has been uncovered, using Google Ads and legitimate Claude.ai shared chats. Hackers are abusing the chat feature to push Mac malware, which can download and run without leaving a trace on disk. The campaign uses social engineering tactics and different domains to evade detection. Victim profiling is used before delivering the payload, suggesting selective targeting by the attackers. The script then pulls down a second-stage payload and runs it through osascript for remote code execution. A variant of the MacSync macOS infostealer was identified, which harvests browser credentials and exfiltrates them to the attacker's server. Users should navigate directly to claude.ai for downloading the native app and exercise caution with instructions asking to paste terminal commands.
Ax Sharma, a security researcher and journalist focused on malware analyses and cybercrime investigations, has recently uncovered a malicious malvertising campaign that targets macOS users. According to Sharma's findings, hackers are abusing Google Ads and legitimate Claude.ai shared chats to push Mac malware.
The campaign was spotted by Berk Albayrak, a security engineer at Trendyol Group, who shared his findings on LinkedIn. Albayrak identified a Claude.ai shared chat that presents itself as an official "Claude Code on Mac" installation guide, attributed to "Apple Support." The chat walks users through opening Terminal and pasting a command, which silently downloads and runs malware on their Mac.
While attempting to verify Albayrak's findings, BleepingComputer landed on a second shared Claude chat carrying out the same attack through entirely separate infrastructure. Both chats follow an identical structure and social engineering approach but use different domains and payloads.
The base64 instructions shown in the shared Claude chat download an encoded shell script from domains such as customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e and bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d. The 'loader.sh' is another set of Gunzip-compressed shell instructions.
This compressed shell script runs entirely in memory, leaving little obvious trace on disk. The variant BleepingComputer identified starts by checking whether the machine has Russian or CIS-region keyboard input sources configured. If it does, the script exits without doing anything, sending a quiet cis_blocked status ping to the attacker's server on its way out.
Only machines that pass this check get the next stage: shell script runs macOS malware. Before proceeding further, the script also collects the victim's external IP address, hostname, OS version, and keyboard locale, sending all of it back to the attacker. This kind of victim profiling before payload delivery suggests the operators are being selective about who they target.
The script then pulls down a second-stage payload and runs it through osascript, macOS's built-in scripting engine. This gives the attacker remote code execution without ever dropping a traditional application or binary.
The variant identified by Albayrak, however, appears to skip the profiling steps. It goes straight to execution. It harvests browser credentials, cookies, and macOS Keychain contents, packages them up, and exfiltrates them to the attacker's server. Albayrak identified this as a variant of the MacSync macOS infostealer.
When the legitimate URL is the threat, malvertising has become a recurring delivery mechanism for malware. BleepingComputer has previously reported on similar campaigns targeting users searching for software like GIMP, where a convincing Google ad would list a legitimate-looking domain but take visitors to a lookalike phishing site instead.
This campaign flips that, as there is no fake domain to spot. Both Google ads seen here point to Anthropic's real domain, claude.ai, since the attackers are hosting their malicious instructions inside Claude's own shared chat feature.
The destination URL in the ad is genuine, but it leads to the malicious instructions. It is not the first time that attackers have abused AI platform shared chats this way. In December, BleepingComputer reported a similar campaign targeting ChatGPT and Grok users.
Users should navigate directly to claude.ai for downloading the native Claude app, rather than clicking sponsored search results. The legitimate Claude Code CLI is available through Anthropic's official documentation and does not require pasting commands from a chat interface.
It is good practice to generally treat any instructions asking you to paste terminal commands with caution, regardless of where those instructions appear to come from.
BleepingComputer reached out to Anthropic and Google for comment prior to publishing this article.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Malvertising-Hackers-Abuse-Google-Ads-and-Claudeai-Chats-to-Push-Mac-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/
Published: Sun May 10 13:25:07 2026 by llama3.2 3B Q4_K_M
