Cybersecurity researchers have uncovered a new tactic where threat actors are leveraging Anthropic’s Claude AI platform and Google Ads to distribute a potent malware known as MacSync Stealer targeting macOS users. The discovery was made by Zscaler Threat Hunting, highlighting a sophisticated ploy to deceive users into compromising their systems.
Infiltration via Google Ads and Claude AI
The malware infection chain initiates when users search for terms related to Claude AI, such as “claude download” or “claude mac,” and click on promoted Google advertisements. These ads redirect users to a shared Claude AI chat link. Due to the legitimate claude.ai domain, the attack gains perceived credibility.
Further deception is employed as attackers set their display name in Claude to “Apple Support.” This misleading tactic makes the fake chat, which includes instructions for malware deployment, appear as legitimate guidance from Apple.
Executing the Malicious Script
The fraudulent chat instructs users to execute a Base64-encoded curl command in the macOS Terminal. This method, known as ClickFix, first appeared in 2024 and has become a popular technique for deploying macOS-specific malware.
By running the provided command, users unknowingly trigger a multi-stage infection process. This sophisticated method stealthily redirects outputs to conceal its activities, simultaneously fetching advanced payloads from attacker-controlled servers.
Targeting Sensitive Information
The campaign, active from June 12 to June 19, 2026, utilized 22 distinct Google Ads campaign IDs and targeted various search phrases, including those in Chinese. To avoid detection, malicious infrastructure mimicked domains of local U.S. businesses.
Once MacSync Stealer is fully deployed, it prompts victims to enter their macOS password via a fake system prompt, subsequently harvesting extensive sensitive data. This includes credentials from browsers, password managers, SSH keys, AWS credentials, and cryptocurrency wallet data.
Data Exfiltration and Attribution
After collection, the stolen data is compressed into 10MB segments for transmission to a remote server, and all traces of the malware are deleted from the victim’s system post-exfiltration. Analysts found Russian-language code within the malware’s AppleScript, suggesting the perpetrators may be Russian-speaking.
Preventative Measures and Recommendations
Researchers stress that the Claude AI platform itself was not compromised; instead, its sharing feature was misused. Anthropic has been alerted about the issue, and the malicious shared chats have been taken down. Security experts advise Mac users to avoid executing unfamiliar Terminal commands, verify downloads from official sources, and approach search ad “fix” prompts with skepticism.
