Both Google ads point to Anthropic’s real domain, claude.ai — and yet clicking them can deliver macOS malware hosted inside Claude’s own shared-chat feature.
Berk Albayrak’s discovery and parallel confirmation by BleepingComputer
The campaign was first spotted by Berk Albayrak, a security engineer at Trendyol Group, who posted his findings on LinkedIn. Albayrak identified a shared Claude chat posing as an official “Claude Code on Mac” installation guide attributed to “Apple Support” that instructs users to open Terminal and paste a command. While verifying Albayrak’s findings, BleepingComputer discovered a second, independently hosted shared Claude chat performing the same attack. Both chats were publicly accessible at the time of writing.
How attackers abuse Google Ads and legitimate shared chats
Users searching for "Claude mac download" may encounter sponsored search results that list claude.ai as the destination URL; the ads themselves show Anthropic’s real domain. The malicious content, however, is not on a fake landing page — it is hosted inside Claude’s shared-chat feature. That makes the destination URL in the ad genuine even as the chat’s instructions push victims to run malware.
Observed malware delivery: domains, loader, and in-memory execution
The shared chats display base64-encoded instructions that download an encoded shell script from attacker-controlled domains. Examples observed on VirusTotal include:
- hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e (variant seen by Albayrak)
- hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d (variant seen by BleepingComputer)
The loader.sh served by the second link unpacks into Gunzip-compressed shell instructions that run entirely in memory, leaving little obvious trace on disk. That script then pulls a second-stage payload and executes it through osascript, macOS’s built-in scripting engine, enabling remote code execution without dropping a traditional application or binary.
Variants, profiling, and data exfiltration
The two observed variants follow the same social engineering structure but diverge in behavior. The BleepingComputer-identified variant first checks for Russian or CIS-region keyboard input sources; if present, it exits and sends a quiet cis_blocked status ping to the attacker’s server. For machines that pass this locale check, the script collects external IP address, hostname, OS version, and keyboard locale and forwards that profiling data to the operator before delivering the next stage — a selection process that suggests the operators are being selective about targets.
The variant reported by Albayrak appears to skip those profiling steps and proceeds straight to execution. That variant harvests browser credentials, cookies, and macOS Keychain contents, bundles them, and exfiltrates them to the attacker’s server; Albayrak identified this behavior as consistent with a variant of the MacSync macOS infostealer. The briskinternet[.]com domain shown in Albayrak’s variant was reported as down at the time of writing.
What this means for technologists, end users, and enterprises
- Technologists and security teams: Be aware that attackers are chaining ad platforms and legitimate hosted features to deliver in-memory macOS payloads that avoid leaving traditional binaries on disk. Logs and network telemetry that capture initial shell fetches, osascript invocations, and exfiltration destinations will be important for detection.
- End users: The legitimate Claude Code CLI is available through Anthropic’s official documentation and does not require pasting commands from a chat interface. Users are advised to navigate directly to claude.ai for downloads and to treat any instruction that asks them to paste terminal commands with caution.
- Enterprises and procurement leaders: Search ads can lead to genuine domains that nevertheless host malicious content inside user-generated features. Relying solely on visible destination URLs in sponsored results is not sufficient — controls that limit execution of pasted terminal commands and guardrails around software installation remain relevant.
BleepingComputer reached out to Anthropic and Google for comment prior to publishing. Malvertising has previously been used to deliver malware through convincing ads that point to legitimate-looking domains; this campaign differs by placing the malicious instructions inside the legitimate platform’s shared content. The immediate, practical takeaway is simple and specific: navigate to Anthropic’s official documentation for the Claude Code CLI and resist pasting terminal commands from chats, even when those chats appear on trusted domains.




