Claude.ai Malvertising: How Attackers Abuse Shared Chats for macOS Malware

A sophisticated malvertising operation is currently exploiting Google Ads and the legitimate shared chat feature of Anthropic’s Claude.ai to deliver macOS-specific malware. By weaponizing the trust associated with official domains, attackers are successfully circumventing common security filters that might otherwise flag suspicious download links. According to BleepingComputer, this campaign specifically targets users searching for terms like “Claude mac download,” leading them through a deceptive redirection chain that ends in the installation of the Cuckoo infostealer.

Dissecting the Claude.ai Shared Chat Malvertising Campaign

The attack begins with a Phishing attempt via sponsored search results. Attackers purchase Google Ads that appear when users search for popular AI software. To the end-user, the ad appears legitimate because Google displays the destination as the official claude.ai domain. However, clicking the ad triggers a redirect through an intermediary tracking domain—a common TTP in malvertising—before landing the user on a genuine shared chat page hosted by Anthropic.

By landing the victim on a legitimate claude.ai/share/ URL, the attackers gain immediate credibility. The shared chat is pre-configured to appear as a support or download instruction page, providing a link to a malicious disk image (.DMG) file hosted on external services like Dropbox or custom attacker-controlled domains. Because the initial landing page is on a trusted domain, many EDR solutions and secure web gateways may fail to intercept the traffic, as the malicious intent is obfuscated within the legitimate application’s features.

Payload Analysis and Execution

The final payload delivered in this campaign is often identified as “Cuckoo,” a potent macOS infostealer. Once the user mounts the DMG file and executes the application, the malware attempts to harvest sensitive information, including browser cookies, login credentials, and local files. This campaign highlights a shift in threat actor focus toward macOS environments, which were previously considered less targeted by broad malvertising operations.

Understanding how to detect macOS infostealer malware is becoming a priority for modern SOC teams. Cuckoo typically attempts to bypass security prompts by masquerading as a legitimate productivity tool. It may also employ various macOS Gatekeeper bypass techniques, such as encouraging users to right-click and ‘Open’ unsigned applications or using social engineering to convince users to override system protections. Once active, the malware establishes C2 communication to exfiltrate data, which can then be used for Lateral Movement within a corporate network.

Mitigation and Defense Strategies

To counter these threats, organizations must move beyond simple domain blacklisting. Analysts should review IoC lists for domains associated with unauthorized AI software distributors and monitor for unusual execution patterns on macOS endpoints. Mapping these activities to the MITRE ATT&CK framework reveals that attackers are heavily relying on User Execution (T1204) and Deceptive Applications.

Defenders should prioritize the following actions:

• Software Restriction Policies: Implement a policy that restricts software installations to the Mac App Store or verified MDM-distributed packages.
• Search Engine Hardening: Utilize browser extensions or DNS filtering to hide sponsored search results, which are a primary vector for malvertising.
• Endpoint Visibility: Ensure that macOS devices are equipped with monitoring tools capable of detecting the unauthorized exfiltration of keychain data and browser profiles.

This campaign serves as a reminder that even legitimate SaaS features can be repurposed for malicious ends, necessitating a Zero Trust approach to all external links, regardless of the hosting domain’s reputation.