ClaudeFix: Shared Claude Chats Meet ClickFix

ClaudeFix: Shared Claude Chats Meet ClickFix

Zscaler reports a MacSync Stealer ClickFix campaign that used paid ads and shared Claude chats to trick Mac users into running malicious paste-and-run commands. The multi-stage attack stole credentials, browser data, cloud keys, Telegram files, and cryptocurrency wallet information while showing signs of Russian-speaking involvement. #MacSyncStealer #Claude #AppleSupport #LedgerWallet #LedgerLive #TrezorSuite

Keypoints

  • Threat actors abused shared Claude chats to host ClickFix instructions and make the attack appear legitimate.
  • The campaign used malvertising, with paid Google ads luring users searching for Claude into malicious chat links.
  • The initial command used obfuscated curl and zsh execution to download the first-stage payload from malicious domains.
  • The second and third stages hid execution, established persistence via ~/.zshrc, and exfiltrated stolen data in chunks.
  • MacSync Stealer collected browser credentials, keychain files, shell history, cloud credentials, Telegram data, and selected documents.
  • The malware also targeted cryptocurrency wallet extensions and desktop wallet applications, including Ledger and Trezor-related software.
  • Zscaler observed the campaign running briefly in June 2026 and noted Russian-language comments in the payloads.

MITRE Techniques

  • [T1204.004 ] User Execution: Malicious Copy and Paste – Victims were instructed to paste and run commands in the terminal to install the payload (‘paste-and-run commands’).
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The attack used curl piped to zsh and later eval/osascript to execute scripts (‘curl -kfsSL …|zsh’, ‘executed in the terminal using the eval command’, ‘piped directly to osascript’).
  • [T1140 ] Deobfuscate/Decode Files or Information – The command hid the destination URL with Base64 encoding and the script decoded Base64 then gzip content (‘obfuscated using Base64 encoding’, ‘Base64-decoded then decompressed using gzip’).
  • [T1566.002 ] Phishing: Spearphishing Link – Victims were redirected through paid ads to shared Claude chat links containing malicious instructions (‘a paid ad in the results that points to a shared Claude chat link’).
  • [T1027 ] Obfuscated Files or Information – The staging URL and script content were deliberately obscured to evade detection (‘destination URL obfuscated using Base64 encoding’).
  • [T1105 ] Ingress Tool Transfer – The malware downloaded additional stages and payloads from attacker-controlled URLs (‘downloads the third stage’, ‘attempts to download three additional payloads’).
  • [T1053.005 ] Scheduled Task/Job: Startup Items – The malware modified ~/.zshrc for persistence when the terminal opens (‘append a curl command … ensuring the second-stage script is downloaded and executed each time the terminal is opened’).
  • [T1112 ] Modify Registry – Not applicable to macOS; no registry behavior described.
  • [T1005 ] Data from Local System – The malware copied keychains, browser stores, shell histories, cloud keys, Telegram files, and documents (‘Copies all keychain files’, ‘Copies shell configuration and history files’, ‘Gathers files from selected directories’).
  • [T1083 ] File and Directory Discovery – It enumerated browser files, processes, and targeted directories to collect data (‘Gathers information about running processes’, ‘Searches for known browser extensions’).
  • [T1560.001 ] Archive Collected Data: Archive via Utility – Stolen data was compressed into /tmp/osalogging.zip (‘All data collected … is compressed into /tmp/osalogging.zip’).
  • [T1041 ] Exfiltration Over C2 Channel – Data was exfiltrated over HTTP PUT requests in chunks (‘exfiltrates the collected data in 10MB chunks via HTTP PUT requests’).
  • [T1070.004 ] File Deletion – The malware deleted staging and archive artifacts after exfiltration (‘deletes /tmp/osalogging.zip’, ‘deletes the /tmp/sync* directory’).
  • [T1091 ] Replication Through Removable Media – Not observed; no removable media behavior described.
  • [T1110 ] Brute Force – Not present; no brute-force activity described.
  • [T1056.002 ] Input Capture: GUI Input Capture – The malware used a fake prompt to trick the victim into entering a macOS password (‘shows a fake prompt’).
  • [T1614.001 ] System Location Discovery: System Language Discovery – Russian-language comments suggest attacker locale/language context, but this is not a technique used by the malware.
  • [T1113 ] Screen Capture – Not described in the article.

Indicators of Compromise

  • [Domains/URLs ] Staging, C2, and payload delivery – lasvegaslaminateflooring[.]com/curl/0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb, lasvegaslaminateflooring[.]com/dynamic?txd=0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb, and other listed ledger/trezor URLs
  • [Domains ] MacSync Stealer hosting domains – proviewhomeinspections[.]com, meadow84[.]com, and many more listed domains
  • [Domains ] Malvertising landing domains themed as local services – realtorsmichigan[.]com, centralfloridapowerwash[.]com, and other campaign domains
  • [File paths ] Stolen data archive and temp storage – /tmp/osalogging.zip, /tmp/sync[randomNumber]
  • [File paths ] Persistence and lock artifacts – ~/.zshrc, /tmp/macsync_0e17984a73d0b1c9c7c3916d32c49c8937f2e42d4c72c543c82999463a507abb.lock
  • [File paths ] Browser and credential stores targeted on macOS – ~/Library/Keychains/*.keychain-db, ~/Library/Application Support/Google/Chrome/
  • [File paths ] Browser and wallet folders targeted – /Users/[username]/Library/Application Support/Ledger Live/, /Users/[username]/Library/Application Support/@trezor
  • [Extension IDs ] Targeted password manager and wallet extensions – eiaeiblijfjekdanodkjadfinkhbfgcd (NordPass), bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom), and many other extension IDs listed
  • [Ad/traffic metadata ] Campaign tracking data – 22 unique campaign IDs, UTM terms such as claude, claude ai, and claude code


Read more: https://www.zscaler.com/blogs/security-research/claudefix-shared-claude-chats-meet-clickfix