Cybercriminals are increasingly leveraging trusted AI platforms to execute sophisticated social engineering attacks. A recent campaign has exploited Claude.ai’s shared chat feature to disseminate malicious instructions, marking a significant evolution in attack methodologies.
Over a seven-week period, attackers deployed 106 unique malicious hostnames across six campaign waves. They continuously rotated infrastructure and tested various AI-themed lures to maximize effectiveness. Initially, the campaign utilized GitLab Pages, creating over 90 malicious subdomains under the trusted *.gitlab.io domain. These pages impersonated popular AI developer tools such as Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. By leveraging Google Ads, the threat actors targeted users actively searching for these tools, increasing the likelihood of engagement from technically proficient individuals.
The attackers employed a technique known as ClickFix, which involves tricking users into manually executing malicious commands. Victims were instructed to copy and paste terminal or PowerShell commands under the guise of installing or fixing software. This method effectively bypasses many traditional security controls, as the user unknowingly executes the payload.
In May 2026, the campaign escalated when attackers began abusing Claude.ai’s shared chat feature. Instead of directing victims to suspicious domains, malicious ads redirected users to legitimate Claude.ai shared chat URLs. These pages appeared trustworthy, effectively bypassing browser warnings, URL inspections, and Safe Browsing protections. Once on the page, victims encountered fake support conversations impersonating entities such as Apple Support or development teams. These chats provided step-by-step instructions for opening a terminal and executing a command, typically including a base64-encoded script that, once decoded, fetched a second-stage payload.
Analysis revealed that the payload delivered the MacSync infostealer, which targets macOS systems. The malware collects browser credentials, cookies, SSH keys, and cryptocurrency wallet data, then exfiltrates them to attacker-controlled servers. Notably, the malware includes a check for Russian keyboard layouts, likely to avoid infecting systems in CIS regions.
The campaign’s geographic targeting was heavily concentrated in the Asia-Pacific region, accounting for over 67 percent of victims. Taiwan alone represented more than 30 percent of observed traffic, followed by Japan and Singapore. Later waves expanded targeting to countries including India, France, and Italy, indicating ongoing optimization of the attack’s effectiveness.
This incident underscores the evolving tactics of cybercriminals who are now exploiting trusted AI platforms to host and disseminate malicious content. Users should exercise caution when interacting with shared content on AI platforms and remain vigilant against unsolicited instructions, especially those involving command execution. Organizations must also enhance their security measures to detect and mitigate such sophisticated social engineering attacks.
