Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign

What Happened

Cybercriminals are running fake Google Ads for popular AI tools like Claude and ChatGPT to trick people into downloading malware. When users click the ads, they are taken to legitimate-looking pages—including real shared chats on claude.ai—that instruct them to copy and paste a command into their Mac terminal to 'install' the software. If executed, this command installs malware that steals passwords, cookies, and cryptocurrency wallets. Mac users should be extremely cautious and only download software directly from official websites, never by copying and pasting terminal commands from unknown sources.

Key Takeaways

• Threat actors deployed 106 unique malicious hostnames over seven weeks, rotating infrastructure and testing AI brand lures like Claude, ChatGPT, and Perplexity.
• The campaign shifted to weaponizing claude.ai's shared chat feature, evading browser warnings and URL inspection by using a highly trusted domain.
• The attacks primarily targeted the Asia-Pacific region, with Taiwan accounting for 30.5% of total traffic.
• The ClickFix social engineering technique tricks users into manually executing malicious terminal commands to 'install' fake software.
• The final payload is the MacSync infostealer, which harvests browser credentials, cookies, SSH keys, and cryptocurrency wallets on macOS.

Affected Systems

• macOS
• Chromium browsers
• GitLab Pages (abused infrastructure)
• claude.ai (abused infrastructure)

Attack Chain

The attack begins with malicious Google Ads targeting users searching for AI developer tools or Mac utilities. Clicking the ad redirects the victim to a ClickFix social engineering page hosted on GitLab Pages or a weaponized claude.ai shared chat. The page instructs the user to copy and paste a base64-encoded curl command into their macOS terminal. Execution of this command downloads a loader script that checks for CIS keyboard layouts; if not found, it fetches and executes the MacSync infostealer (an AppleScript payload) to harvest browser data, SSH keys, and crypto wallets.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: TrendAI Vision One

Trend Micro provides hunting queries and IOCs via their TrendAI Vision One Threat Intelligence Hub, though specific rule bodies are not included in the public blog post.

Detection Engineering Assessment

EDR Visibility: High — EDRs on macOS should easily capture terminal commands executing curl piped to bash or sh, as well as osascript execution fetching remote payloads. Network Visibility: Medium — Initial access uses legitimate domains (claude.ai, gitlab.io) over HTTPS, making network detection difficult. However, the secondary payload fetch to the attacker-controlled C2 domain can be detected. Detection Difficulty: Moderate — The social engineering aspect evades traditional web filters by using trusted domains, but the post-exploitation terminal commands are highly anomalous for standard users.

Required Log Sources

• macOS Unified Log
• EDR Process Telemetry
• Network Proxy/DNS Logs

Hunting Hypotheses

Control Gaps

• Web Content Filtering (fails due to trusted domains like claude.ai and gitlab.io)
• Safe Browsing heuristics

Key Behavioral Indicators

• curl piped to shell
• osascript fetching remote payloads
• defaults read querying keyboard layouts

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider blocking the identified malicious loader domain (loserrq0j1sha8.com) at the network perimeter.
• Search endpoint telemetry for the execution of the identified curl and osascript command patterns.

Infrastructure Hardening

• Consider implementing DNS filtering or EDR network controls to restrict terminal applications from initiating outbound connections to untrusted domains.

User Protection

• If your EDR supports it, consider creating custom behavioral rules to alert on curl commands piped to shells on macOS endpoints.
• Evaluate whether standard users require access to terminal utilities, and restrict access where appropriate.

Security Awareness

• Educate developers and technical staff about ClickFix social engineering tactics, emphasizing the danger of copying and pasting terminal commands from web pages.
• Reinforce the importance of downloading software only from official vendor websites or approved package managers (e.g., Homebrew, npm).

MITRE ATT&CK Mapping

• T1583.008 - Acquire Infrastructure: Malvertising
• T1566.002 - Phishing: Spearphishing Link
• T1204.001 - User Execution: Malicious Link
• T1204.002 - User Execution: Malicious File
• T1059.004 - Command and Scripting Interpreter: Unix Shell
• T1059.002 - Command and Scripting Interpreter: AppleScript
• T1614.001 - System Location Discovery: System Language Discovery
• T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
• T1539 - Steal Web Session Cookie

Additional IOCs

• Domains:
  • claudeapp[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • mac-guide-tool[.]gitlab[.]io - Malicious GitLab Pages subdomain used for Mac utility scam lures.
  • claude-tool-app[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • claud-desktop-app[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • claudesktop[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • claude-desktop-apps[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • macsupp-group[.]gitlab[.]io - Malicious GitLab Pages subdomain used for Mac utility scam lures.
  • macsupp-usb[.]gitlab[.]io - Malicious GitLab Pages subdomain used for Mac utility scam lures.
  • jetbrains-apps-group[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure impersonating JetBrains.
  • chatgpt-codex[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure impersonating ChatGPT Codex.
  • cladesktop[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • chatgpt-codex-app[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure impersonating ChatGPT Codex.
  • chatgpt-codex-lm[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure impersonating ChatGPT Codex.
  • claudecode-desktop[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
  • claudecode-download[.]gitlab[.]io - Malicious GitLab Pages subdomain used as a ClickFix lure.
• Command Lines:
  • Purpose: Decodes and executes the first-stage loader script from the terminal. | Tools: curl, base64, sh, bash | Stage: Initial Access / Execution | curl -s | echo <base64_blob> | base64 -d | sh
  • Purpose: Checks the macOS system for Russian keyboard layouts to avoid infecting CIS systems. | Tools: defaults, grep | Stage: Discovery / Evasion
  • Purpose: Fetches and executes the MacSync infostealer AppleScript payload. | Tools: curl, osascript | Stage: Execution / Payload Delivery