Tools Change. Habits Don’t. We Saw It Up Close.
A Huntress engineer encountered a malvertising campaign via a Google sponsored search result for 'Claude Code'. The malicious link delivered a multi-stage macOS malware utilizing base64 encoding, gzip compression, and obfuscated AppleScript to bypass Gatekeeper and attempt extraction of Claude Code credentials from the macOS keychain.
Authors: Huntress
Source:
Huntress
- domainclaude-desktop-app[.]bitbucket[.]ioDomain hosting the initial fake Claude Code download page.
- domaintelpoosh[.]comDomain hosting the secondary macOS malware payload.
- filename/private/tmp/helperFile path where the secondary executable payload is dropped and launched.
- urlhxxps://claude-desktop-app[.]bitbucket[.]ioMalicious sponsored Google search result link masquerading as the official Claude Code download site.
- urlhxxps://telpoosh[.]com/n8n/updateSecondary payload download URL accessed by the initial decoded script.
Detection / Hunter
What Happened
A security engineer accidentally clicked on a fake, malicious Google ad while searching for an AI coding tool called Claude Code. This ad downloaded a hidden program designed to steal passwords and access keys from their Mac computer. Because the engineer immediately reported the mistake, the security team was able to stop the attack before any sensitive information was stolen. This highlights the importance of being cautious with search engine ads and having a supportive workplace culture where employees feel safe reporting mistakes right away.
Key Takeaways
- Attackers are using malvertising via Google sponsored search results to target developers looking for AI tools like Claude Code.
- The macOS malware uses base64 encoding and gzip compression to hide an initial script that downloads a secondary payload.
- The secondary payload bypasses macOS Gatekeeper, executes from the /tmp directory, and uses obfuscated AppleScript.
- The primary goal of the malware is to extract Claude Code credentials and other sensitive data from the macOS keychain.
- A blameless security culture that encourages immediate reporting of mistakes is critical for rapid incident containment.
Affected Systems
- macOS
Attack Chain
The victim clicked a malicious sponsored Google search result for 'Claude Code', which downloaded an initial script. This script used base64 encoding and gzip compression to evade detection. Upon decoding, the script downloaded a secondary payload from a remote server, saved it to '/private/tmp/helper', marked it as executable, and launched it, bypassing macOS Gatekeeper. The final payload utilized obfuscated AppleScript to target the macOS keychain and attempt to steal Claude Code credentials.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries were provided in the article.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions on macOS can effectively monitor file creations in /private/tmp/, execution of downloaded binaries, Gatekeeper bypass events, and suspicious AppleScript executions targeting the keychain. Network Visibility: Medium — Network logs can capture connections to suspicious domains like the bitbucket.io subdomain or telpoosh.com, though the traffic is likely encrypted via HTTPS. Detection Difficulty: Moderate — While the initial malvertising vector is difficult to detect technically, the subsequent behaviors (dropping executables in /tmp, Gatekeeper bypass, keychain access via AppleScript) are well-known macOS malware patterns that trigger standard EDR alerts.
Required Log Sources
- macOS Unified Log
- EDR Process Telemetry
- EDR File Telemetry
- Web Proxy/DNS Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for processes executing from /private/tmp/ that were recently downloaded or created by a browser process. | EDR Process/File Telemetry | Execution | Low |
| Search for AppleScript execution (osascript) attempting to access the macOS keychain, especially querying for specific application credentials like Claude. | EDR Process Telemetry | Credential Access | Medium |
| Identify base64 decoding and gzip decompression command sequences executed by shell processes on macOS. | EDR Process Telemetry | Defense Evasion | Medium |
Control Gaps
- Search Engine Ad Filtering
- DNS Filtering (Bitbucket is a legitimate service often allowed by default)
Key Behavioral Indicators
- Execution of binaries from /private/tmp/helper
- osascript accessing the macOS keychain
- macOS Gatekeeper bypass alerts
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Isolate affected macOS devices from the network.
- Rotate potentially compromised credentials, specifically targeting Claude Code and other developer tools.
- Block identified malicious domains and URLs at the network perimeter.
Infrastructure Hardening
- Implement strict Gatekeeper policies to only allow applications from the App Store and identified developers.
- Deploy DNS filtering to block known malicious domains and newly registered domains.
User Protection
- Deploy and properly configure EDR solutions on all macOS endpoints.
- Enforce Multi-Factor Authentication (MFA) and the use of approved password managers.
Security Awareness
- Train employees to scrutinize sponsored search results and verify domains before downloading software.
- Foster a blameless reporting culture to encourage immediate notification of suspected security incidents.
- Establish clear guidelines for downloading and using approved AI tools.
MITRE ATT&CK Mapping
- T1189 - Drive-by Compromise
- T1140 - Deobfuscate/Decode Files or Information
- T1059.002 - Command and Scripting Interpreter: AppleScript
- T1553.001 - Subvert Trust Controls: Gatekeeper Bypass
- T1555.001 - Credentials from Password Stores: Keychain
Additional IOCs
- Domains:
claude-desktop-app[.]bitbucket[.]io- Domain hosting the initial fake Claude Code download page.telpoosh[.]com- Domain hosting the secondary macOS malware payload.
- Urls:
hxxps://claude-desktop-app[.]bitbucket[.]io- Malicious sponsored Google search result link.hxxps://telpoosh[.]com/n8n/update- Secondary payload download URL.
- File Paths:
/private/tmp/helper- Dropped executable payload.