Hackers Exploit Claude AI and Google Ads to Deploy MacSync Stealer on macOS

Cybercriminals are leveraging Anthropic’s Claude AI platform and Google Ads to distribute MacSync Stealer, a sophisticated information-stealing malware targeting macOS users. This campaign exploits users’ trust in legitimate platforms to facilitate malware installation.

The attack initiates when users search for terms like “claude download” or “claude mac” and click on sponsored Google ads. These ads redirect to shared Claude chat links, which, being hosted on the official claude.ai domain, appear credible. Within these shared chats, attackers pose as “Apple Support,” providing instructions that seem authoritative.

Victims are instructed to copy and paste a Base64-encoded command into their Terminal application—a tactic known as ClickFix. This method, first observed in 2024, has become a favored technique among macOS-focused malware operators. Executing the command triggers a multi-stage infection process, downloading and running additional payloads from attacker-controlled servers while concealing the execution traces.

Abuse of Claude Chats for ClickFix Attacks

Between June 12 and June 19, 2026, researchers identified this campaign utilizing 22 unique Google Ads campaign IDs and targeting search terms related to Claude AI, including “claude ai,” “claude code,” and a Chinese-language variant. The attackers employed domains mimicking local U.S. businesses, such as laminate flooring companies and pet sitters, to evade detection.

Once the malware is fully deployed via AppleScript, it prompts users to enter their macOS password through a deceptive system prompt. Upon obtaining the password, MacSync Stealer systematically harvests sensitive data, including:

  • Keychain files and credentials from Chromium and Gecko-based browsers, encompassing cookies and saved logins.
  • Data from password manager browser extensions.
  • SSH keys, AWS credentials, and Kubernetes configurations from developer environments.
  • Files from Telegram Desktop, documents, and files with extensions like .pdf, .wallet, and .kdbx.
  • Data from cryptocurrency wallet browser extensions and desktop wallet applications, including targeted payloads for Ledger and Trezor devices.

The stolen data is compressed and exfiltrated in 10MB chunks to a remote server before the malware deletes all evidence of its presence on the system. Analysis of the malware’s AppleScript payload revealed Russian-language code comments, indicating that the operators behind MacSync Stealer are likely Russian-speaking.

It’s important to note that Claude AI itself was not compromised; attackers merely exploited its legitimate sharing feature. Anthropic has been notified, and the malicious shared chats have been removed. However, security experts advise macOS users to exercise caution: avoid pasting unfamiliar commands into Terminal, download software exclusively from official websites, and approach “fix” prompts from search ads with skepticism.

This incident underscores the evolving tactics of cybercriminals who are increasingly abusing trusted platforms and advertising networks to distribute malware. Users must remain vigilant and adopt best practices to safeguard their systems against such sophisticated threats.