Phantom Claude Campaign Targets Developers With macOS Infostealer

Security researchers at Bybit discovered a multi-stage macOS malware campaign targeting users searching for Anthropic's Claude Code development tool. Dubbed Operation Phantom Claude, the attack uses search engine optimization poisoning to direct victims to convincing fake installation pages that deliver credential-stealing malware.

The Attack Chain

The campaign, first identified in March 2026, exploits developer interest in AI coding assistants. Attackers pushed a malicious domain to the top of Google search results for Claude Code queries, redirecting users to a spoofed installation page designed to closely resemble Anthropic's legitimate documentation.

Victims who download the fake installer trigger a two-stage infection:

Stage 1: Infostealer

The initial payload shares characteristics with AMOS and Banshee stealer variants. It targets:

• Browser credentials from Chrome, Firefox, Safari, and Brave
• macOS Keychain entries containing passwords and certificates
• Telegram session data
• VPN configuration profiles
• Cryptocurrency wallet information from over 250 browser-based extensions
• Desktop wallet applications including Exodus, Electrum, and Atomic

Stage 2: Persistent Backdoor

A C++ backdoor establishes persistence for long-term access. This component allows attackers to maintain a foothold even if the victim later realizes something is wrong and removes the obvious infostealer components.

Why Developers Are Prime Targets

Developers represent high-value targets for several reasons. They often have access to source code repositories, cloud infrastructure credentials, and cryptocurrency holdings. A compromised developer machine can become a stepping stone to supply chain attacks affecting downstream users.

This campaign follows a pattern we've seen with previous fake AI tool distributions, where threat actors exploit the rapid adoption of AI development tools to catch users before security awareness catches up. The technique also mirrors ClickFix-style attacks that abuse user trust in seemingly legitimate software downloads.

Distribution Beyond SEO

Bitdefender and Malwarebytes have reported additional distribution vectors including:

• Google Ads promoting malicious Claude Code download pages
• ClickFix social engineering lures targeting both macOS and Windows users
• AI-generated YouTube videos directing viewers to download links

The multi-channel approach suggests a well-resourced operation designed to maximize infection rates across the developer community.

Cryptocurrency Focus

The heavy emphasis on wallet extensions—over 250 targeted—indicates financial motivation. Cryptocurrency theft provides immediate, irreversible returns for attackers. Developers working in Web3 or blockchain projects may hold significant crypto assets accessible from their development machines.

For general guidance on protecting digital assets, see our online safety tips covering secure software download practices.

Indicators and Detection

Organizations should monitor for:

1. DNS queries to domains mimicking anthropic.com or claude.ai
2. Unsigned binaries claiming to be Claude installers
3. Unusual Keychain access from non-standard applications
4. Outbound connections to Telegram API endpoints from unexpected processes

Protective Measures

1. Download only from official sources - Access Claude Code through Anthropic's verified website or official package managers
2. Verify code signatures - Check that installers are signed by Anthropic before execution
3. Use hardware wallets - Keep significant cryptocurrency holdings in cold storage
4. Enable Gatekeeper - Ensure macOS security features block unsigned applications
5. Monitor browser extensions - Audit for unexpected or modified wallet extensions

The sophistication of Operation Phantom Claude—combining SEO manipulation, convincing phishing pages, and multi-stage malware—demonstrates how threat actors adapt their tactics to target emerging technology adoption. As AI development tools become standard in more workflows, expect continued targeting of developer communities through similar supply chain compromise attempts.