[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRk21r-TzRUmVnfKa0g_JmuIqTIdVcU8GSz4ZQ3gaoro":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"94b2714b-9d1a-4183-a2eb-1dd420b40922","Hackers abuse Google ads, Claude.ai chats to push Mac malware","hackers-abuse-google-ads-claude-ai-chats-to-push-mac-malware-b72e55","Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for \"Claude mac download\" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac. [...]","Threat actors are running an active malvertising campaign targeting macOS users searching for Claude AI downloads. By abusing Google Ads and Anthropic's legitimate Claude.ai shared chat feature, attackers trick users into running terminal commands that install credential-stealing malware. The campaign uses polymorphic payload delivery and victim profiling to evade detection and selectively target non-Russian users.","Attackers abuse Google Ads and Claude.ai shared chats to distribute macOS malware via social engineering.","Hackers abuse Google ads, Claude.ai chats to push Mac malware By Ax Sharma May 10, 2026 01:52 PM 0 Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for \"Claude mac download\" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac. Google's sponsored search result for 'claude download mac' (BleepingComputer) Shared Claude Chats weaponized to target macOS users The campaign was spotted by Berk Albayrak, a security engineer at Trendyol Group, who shared his findings on LinkedIn. Researcher alerts of ongoing malvertising campaign Albayrak identified a Claude.ai shared chat that presents itself as an official \"Claude Code on Mac\" installation guide, attributed to \"Apple Support.\" The chat walks users through opening Terminal and pasting a command, which silently downloads and runs malware on their Mac. While attempting to verify Albayrak's findings, BleepingComputer landed on a second shared Claude chat carrying out the same attack through entirely separate infrastructure. The two chats follow an identical structure and social engineering approach but use different domains and payloads. Both chats were publicly accessible at the time of writing: Shared Claude Chat with malicious instructions (BleepingComputer) What does the macOS malware do? The base64 instructions shown in the shared Claude chat download an encoded shell script from domains such as: In variant seen by Albayrak [VirusTotal]: hxxp:\u002F\u002Fcustomroofingcontractors[.]com\u002Fcurl\u002Fb42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e In variant seen by BleepingComputer [VirusTotal]: hxxps:\u002F\u002Fbernasibutuwqu2[.]com\u002Fdebug\u002Floader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d The 'loader.sh' (served by the second link above) is another set of Gunzip-compressed shell instructions: Base64 code retrieves first stage 'loader.sh' payload (BleepingComputer) This compressed shell script runs entirely in memory, leaving little obvious trace on disk. BleepingComputer observed the server serving a uniquely obfuscated version of the payload on each request (a technique known as polymorphic delivery), making it harder for security tools to flag the download based on a known hash or signature. The variant BleepingComputer identified starts by checking whether the machine has Russian or CIS-region keyboard input sources configured. If it does, the script exits without doing anything, sending a quiet cis_blocked status ping to the attacker's server on its way out. Only machines that pass this check get the next stage: Shell script runs macOS malware (BleepingComputer) Before proceeding further, the script also collects the victim's external IP address, hostname, OS version, and keyboard locale, sending all of it back to the attacker. This kind of victim profiling before payload delivery suggests the operators are being selective about who they target. The script then pulls down a second-stage payload and runs it through osascript, macOS's built-in scripting engine. This gives the attacker remote code execution without ever dropping a traditional application or binary. The variant identified by Albayrak, however, appears to skip the profiling steps. It goes straight to execution. It harvests browser credentials, cookies, and macOS Keychain contents, packages them up, and exfiltrates them to the attacker's server. Albayrak identified this as a variant of the MacSync macOS infostealer: Albayrak's variant skips user fingerprinting step (BleepingComputer) The briskinternet[.]com domain shown above in the variant identified by Albayrak appeared to be down at the time of writing. When the legitimate URL is the threat Malvertising has become a recurring delivery mechanism for malware. BleepingComputer has previously reported on similar campaigns targeting users searching for software like GIMP, where a convincing Google ad would list a legitimate-looking domain but take visitors to a lookalike phishing site instead. This campaign flips that, as there is no fake domain to spot. Both Google ads seen here point to Anthropic's real domain, claude.ai, since the attackers are hosting their malicious instructions inside Claude's own shared chat feature. The destination URL in the ad is genuine. It is not the first time that attackers have abused AI platform shared chats this way. In December, BleepingComputer reported a similar campaign targeting ChatGPT and Grok users. Earlier this year, threat actors ran an identical campaign targeting macOS developers searching for Homebrew, a popular package manager. Targeting Claude, however, casts a much wider net, reaching non-technical users who may simply be curious about AI and are less likely to scrutinise a terminal command before running it. Users should navigate directly to claude.ai for downloading the native Claude app, rather than clicking sponsored search results. The legitimate Claude Code CLI is available through Anthropic's official documentation and does not require pasting commands from a chat interface. It is good practice to generally treat any instructions asking you to paste terminal commands with caution, regardless of where those instructions appear to come from. BleepingComputer reached out to Anthropic and Google for comment prior to publishing. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Google expands Gemini AI use to fight malicious ads on its platformFake Claude AI website delivers new 'Beagle' Windows malwareChatGPT rolls out new $100 Pro subscription to challenge ClaudeClaude Code leak used to push infostealer malware on GitHubClaude Code source code accidentally leaked in NPM package","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-abuse-google-ads-claudeai-chats-to-push-mac-malware\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F07\u002FClaude_AI.png","2026-05-10T17:52:15+00:00","2026-05-10T18:00:17.568434+00:00",8,[18,21,23,26,28],{"name":19,"type":20},"Google","vendor",{"name":22,"type":20},"Anthropic",{"name":24,"type":25},"Claude","product",{"name":27,"type":25},"macOS",{"name":29,"type":30},"Google Ads","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":31,"icon":33,"name":34,"slug":35},null,"Malware","malware",[37,42],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",[48,52,55,58,61],{"type":49,"value":50,"context":51},"domain","customroofingcontractors.com","C2 domain serving encoded shell script payload in variant identified by Berk Albayrak",{"type":49,"value":53,"context":54},"bernasibutuwqu2.com","C2 domain serving polymorphic loader.sh payload in variant identified by BleepingComputer",{"type":49,"value":56,"context":57},"briskinternet.com","Exfiltration C2 domain used in MacSync infostealer variant; reported as down at time of analysis",{"type":35,"value":59,"context":60},"MacSync","macOS infostealer harvesting browser credentials, cookies, and Keychain contents",{"type":62,"value":63,"context":64},"hash_sha256","b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e","First-stage payload hash from customroofingcontractors.com variant"]