Hackers Abuse Shared Claude Chats and Google Ads to Deploy MacSync Stealer on macOS

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Threat actors are hijacking Anthropic’s Claude AI platform and Google Ads to trick Mac users into infecting themselves with a dangerous new information-stealing malware called MacSync Stealer, according to Zscaler Threat Hunting.

The infection begins when a victim searches for terms like “claude download” or “claude mac” and clicks a paid Google ad that redirects to a shared Claude chat link, lending the attack instant credibility since it uses claude.ai’s legitimate domain.

The threat actors set their Claude display name to “Apple Support,” so the shared chat appears to be from Apple, making the fake fix instructions look trustworthy.

The chat instructs victims to copy and paste a Base64-obfuscated curl command into Terminal, a classic ClickFix technique that first emerged in 2024 and has since become a favorite tool for macOS-focused malware operators.

Claude Shared Chat Used for ClickFix (Source: Zscaler)

Running this command triggers a multi-stage infection chain, silently redirecting output to hide any trace of execution while fetching progressively more capable payloads from attacker-controlled infrastructure.

Claude Chats Abused for Clickfix

Zscaler traced the campaign, active from June 12 to June 19, 2026, using 22 unique Google Ads campaign IDs and seven search terms related to Claude, including “claude ai,” “claude code,” and even a Chinese-language variant.

The malicious infrastructure disguised itself using domains themed around ordinary local U.S. businesses, such as laminate flooring companies and pet sitters, to evade detection.

Once fully deployed via AppleScript, MacSync Stealer tricks victims into entering their macOS password through a fake system prompt, then systematically harvests sensitive data before erasing all traces of itself.

  • Keychain files and credentials from Chromium and Gecko-based browsers, including cookies and saved logins
  • Password manager browser extensions and their stored data
  • SSH keys, AWS credentials, and Kubernetes configs from developer environments
  • Telegram Desktop files, documents, and files with extensions like .pdf, .wallet, and .kdbx
  • Cryptocurrency wallet browser extensions and desktop wallet applications, including targeted Ledger and Trezor payloads

Stolen data is compressed and exfiltrated in 10MB chunks to a remote server before the malware deletes all evidence from the system, according to the researchers.

Analysts found Russian-language code comments inside the malware’s AppleScript payload, suggesting the operators behind MacSync Stealer are likely Russian-speaking.

Researchers note the group continues to evolve its tactics, having previously distributed malware through fake “cracked” software before pivoting to ClickFix and abuse of AI platforms.

Security researchers emphasize that Claude itself was not compromised; attackers simply abused its legitimate sharing feature. Anthropic has been notified, and the malicious shared chats are no longer accessible, but experts urge Mac users to never paste unfamiliar Terminal commands, verify software downloads only through official websites, and treat “fix” prompts from search ads with suspicion.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.