Malicious Google Ad Targets macOS Users with Fake Claude Code Installer

A recent cybersecurity investigation has uncovered a sophisticated attack targeting macOS users through a deceptive Google advertisement. This campaign impersonates Anthropic’s Claude Code command-line interface (CLI) to distribute the ‘MacSync Stealer,’ a credential-harvesting malware that also compromises cryptocurrency wallets.

The attack begins when users search for ‘claude code mac install’ on Google. A sponsored ad appears at the top of the search results, titled ‘Install Claude macOS,’ which redirects to a fraudulent installation page hosted on Google Sites. This page closely mimics Anthropic’s official branding, featuring a fabricated download counter and a one-click copy button for a malicious terminal command.

Utilizing Google Sites allows the attackers to evade automated security scanners, as the platform’s content is rendered using JavaScript. Automated tools that do not execute JavaScript see an empty page, marking the link as safe, while human visitors are presented with the full deceptive content. Additionally, the page includes a ‘New to Terminal?’ guide, which primes users to expect and enter their administrative passwords during the installation process.

The attack unfolds in several stages:

  1. Sponsored Google Ad: A paid search result impersonates the Claude Code CLI for developer-related search terms.
  2. Fake Installation Page: A Google Sites page mimics Anthropic’s official site, hosting a pre-loaded terminal command.
  3. Terminal Command Execution: Users paste a Base64-encoded command into their terminal, initiating a multi-stage zsh dropper.
  4. Fake Password Prompt: A convincing System Preferences-style popup appears, prompting users to enter their Mac login password.
  5. Credential Harvesting: The malware uses the stolen password to unlock keychains, browsers, wallet extensions, and developer credentials.
  6. Ledger App Compromise: If a hardware wallet application is detected, its code is silently replaced to phish for the seed phrase upon the next launch.

Each stage is intricately linked, creating a seamless chain of compromise. However, the attack can be disrupted if the user reboots or closes their laptop before the later stages are executed.

This incident underscores the increasing sophistication of cyber threats targeting macOS users. The use of trusted platforms like Google Ads and Google Sites to distribute malware highlights the need for heightened vigilance. Users should exercise caution when installing software, especially when prompted to execute terminal commands or enter administrative credentials. Verifying the authenticity of download sources and being wary of unexpected password prompts are crucial steps in safeguarding against such attacks.